Skip to content

ci: add GCP Workload Identity Federation for Vertex AI recording workflow#5276

Open
Artemon-line wants to merge 8 commits intollamastack:mainfrom
Artemon-line:ci/vertexai-workload-identity-federation
Open

ci: add GCP Workload Identity Federation for Vertex AI recording workflow#5276
Artemon-line wants to merge 8 commits intollamastack:mainfrom
Artemon-line:ci/vertexai-workload-identity-federation

Conversation

@Artemon-line
Copy link
Copy Markdown
Contributor

@Artemon-line Artemon-line commented Mar 25, 2026

Summary

  • Add keyless OIDC-based authentication (Workload Identity Federation) for the vertexai provider in the record-integration-tests workflow, replacing the need for static service account credentials
  • Add vertexai to the provider matrix and default workflow_dispatch providers list
  • Fork PRs skip the GCP auth step (OIDC tokens are not available)

Closes #5272

Required setup by maintainers

Two repository secrets need to be configured:

  • GCP_WORKLOAD_IDENTITY_PROVIDER — full WIF provider resource name (projects/<id>/locations/global/workloadIdentityPools/<pool>/providers/<provider>)
  • VERTEX_AI_PROJECT — GCP project ID

VERTEX_AI_LOCATION is hardcoded to global (not sensitive, required for Gemini models).

Test plan

  • YAML validation passed (check-yaml pre-commit hook)
  • Trailing whitespace and EOF checks passed
  • Dry-run validated locally with act (act -n workflow_dispatch):
    • Workflow parses without errors
    • All 6 provider matrix jobs (including vertexai as record-providers-6) resolve correctly
    • google-github-actions/auth action (pinned SHA) is recognized and cloned for the vertexai job
    • Job dependency graph is correct (compute-pr-info → record-providers → comment-summary)
    • All jobs succeed in dry-run mode
  • Full end-to-end validation requires the repository secrets to be configured and a manual workflow_dispatch run

Note: act can validate workflow structure, matrix expansion, and step resolution, but cannot test actual OIDC token exchange or GCP authentication since those require GitHub's token endpoint.

🤖 Generated with Claude Code

@Artemon-line @claude
ci: add GCP Workload Identity Federation for Vertex AI recording work…
ab5199c 
…flow

Add keyless OIDC-based authentication for the vertexai provider in the
record-integration-tests workflow using google-github-actions/auth with
Workload Identity Federation, replacing the need for static service
account credentials.

Changes:
- Add id-token: write permission for OIDC token exchange
- Add vertexai provider to the recording matrix (suite: responses)
- Add google-github-actions/auth step (pinned SHA, v3) conditional on
  vertexai provider and non-fork PRs
- Set VERTEX_AI_PROJECT from secret and VERTEX_AI_LOCATION to global
- Add vertexai to default workflow_dispatch providers list

Requires two repository secrets to be configured by maintainers:
- GCP_WORKLOAD_IDENTITY_PROVIDER (WIF provider resource name)
- VERTEX_AI_PROJECT (GCP project ID)

Closes llamastack#5272

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Artemy <ahladenk@redhat.com>
@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Mar 25, 2026
Artemon-line added a commit to Artemon-line/llama-stack that referenced this pull request Mar 27, 2026
@Artemon-line
feat(vertexai): add CI test infrastructure for vertexai provider
4bf3219 
Add vertexai to the CI responses test suite, enabling integration testing
of the vertexai provider. Recordings will be auto-generated by the CI
recording workflow after the WIF authentication PR (llamastack#5276) merges.

- Add vertexai setup definition to tests/integration/suites.py
- Add vertexai entry to CI matrix (ci_matrix.json)
- Register vertexai model and provider in ci-tests distribution template
- Add google-genai SDK patching to api_recorder.py for record/replay
- Add vertexai-specific test skips for unsupported features (logprobs,
  service_tier, file search filters, incomplete_details length)
- Add CI workflow env vars for vertexai in integration-tests.yml
- Add VERTEX_AI env var passthrough in integration-tests.sh

Closes llamastack#5102

Signed-off-by: Artemy Hladenko <ahladenk@redhat.com>
Signed-off-by: Artemy <ahladenk@redhat.com>
@Artemon-line Artemon-line mentioned this pull request Mar 27, 2026
Draft
4 tasks
@Artemon-line Artemon-line marked this pull request as ready for review March 27, 2026 17:14
cdoern
cdoern approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@cdoern cdoern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. secrets exist now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@franciscojavierarceo franciscojavierarceo franciscojavierarceo approved these changes

@cdoern cdoern cdoern approved these changes

@ashwinb ashwinb Awaiting requested review from ashwinb ashwinb is a code owner

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@leseb leseb Awaiting requested review from leseb leseb is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@mattf mattf Awaiting requested review from mattf mattf is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: add GCP Workload Identity Federation for Vertex AI in record-integration-tests workflow

3 participants

@Artemon-line @franciscojavierarceo @cdoern