🔴 Required Information
Describe the Bug:
The File Content Compliance CI check for hardcoded googleapis.com endpoints can fail on OAuth scope strings. The check scans each changed Python file for any googleapis.com URL, then requires the same file to contain an .mtls.googleapis.com counterpart.
This incorrectly treats OAuth scopes such as https://www.googleapis.com/auth/cloud-platform as service endpoints. OAuth scopes are not API endpoints and should not require an mTLS endpoint variant.
Steps to Reproduce:
-
Open a pull request that modifies a Python file containing an OAuth scope string such as:
scopes = ['https://www.googleapis.com/auth/cloud-platform']
-
Ensure the file does not also contain .mtls.googleapis.com.
-
Let the Continuous Integration workflow run.
-
Observe the File Content Compliance / Check for hardcoded googleapis.com endpoints step.
Expected Behavior:
The CI check should not fail for OAuth scope URLs under https://www.googleapis.com/auth/, because they are not service endpoints and do not have mTLS endpoint counterparts.
The check should continue to fail for hardcoded service endpoints such as https://foo.googleapis.com/... when the corresponding .mtls.googleapis.com endpoint is missing.
Observed Behavior:
The check fails because it treats the OAuth scope as a hardcoded endpoint.
Example from PR #6201:
❌ Found hardcoded googleapis.com endpoints without mTLS support.
The following files must define both standard and mTLS (.mtls.googleapis.com) endpoints
to support dynamic endpoint selection as required by security policy:
src/google/adk/tools/mcp_tool/mcp_session_manager.py
The matched value in that file is an existing OAuth scope:
scopes = ['https://www.googleapis.com/auth/cloud-platform']
The relevant CI logic is in .github/workflows/continuous-integration.yml, around lines 244-258:
FILES_WITH_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES)
if [ -n "$FILES_WITH_ENDPOINTS" ]; then
FILES_MISSING_MTLS=$(grep -L '.mtls.googleapis.com' $FILES_WITH_ENDPOINTS)
fi
Because this is file-level matching, any changed file containing an OAuth scope can be classified as an endpoint-bearing file.
Environment Details:
- ADK Library Version (pip show google-adk): N/A. This affects the repository CI workflow.
- Desktop OS: N/A.
- Python Version (python -V): N/A.
Model Information:
- Are you using LiteLLM: N/A.
- Which model is being used: N/A.
🟡 Optional Information
Regression:
N/A.
Logs:
Example failed CI job:
https://github.com/google/adk-python/actions/runs/28122333977/job/83277473901?pr=6201
Screenshots / Video:
N/A.
Additional Context:
Related prior PR:
A possible fix is to classify matched URLs before building FILES_WITH_ENDPOINTS, and exclude OAuth scopes under https://www.googleapis.com/auth/ from the endpoint check.
For example:
FILES_WITH_ENDPOINTS=$(
grep -HEo 'https?://[a-zA-Z0-9.-]+\.googleapis\.com[^"'\''[:space:]]*' $CHANGED_FILES \
| grep -vE 'https://www\.googleapis\.com/auth(/|$)' \
| cut -d: -f1 \
| sort -u || true
)Minimal Reproduction Code:
scopes = ['https://www.googleapis.com/auth/cloud-platform']
How often has this issue occurred?:
- Always (100%) when a changed Python file contains an OAuth scope matching
https://www.googleapis.com/auth/... and does not contain .mtls.googleapis.com.
After this issue was filed, the relevant check moved on main in commit 8a7656b:
8a7656b
That commit consolidated the inline GitHub Actions compliance checks into scripts/compliance_checks.py and removed the compliance-check job from .github/workflows/continuous-integration.yml.
So the original problem description above is still valid, but the location that should be fixed has changed:
- Original location at filing time:
.github/workflows/continuous-integration.yml
- Current location on
main: scripts/compliance_checks.py
The current implementation is:
def check_mtls(content: str, filename: str) -> bool:
if filename in _EXCLUDED_FROM_MTLS:
return True
# Pattern for googleapis: https?://[a-zA-Z0-9.-]+\.googleapis\.com
endpoint_pattern = re.compile(r'https?://[a-zA-Z0-9.-]+\.googleapis\.com')
if endpoint_pattern.search(content):
return '.mtls.googleapis.com' in content
return TrueThis still treats OAuth scope URLs such as https://www.googleapis.com/auth/cloud-platform as googleapis.com endpoints. The fix should now be applied in scripts/compliance_checks.py, likely by extracting or matching non-scope googleapis.com URLs and excluding OAuth scopes under https://www.googleapis.com/auth/ before requiring an .mtls.googleapis.com counterpart.
🔴 Required Information
Describe the Bug:
The
File Content ComplianceCI check for hardcodedgoogleapis.comendpoints can fail on OAuth scope strings. The check scans each changed Python file for anygoogleapis.comURL, then requires the same file to contain an.mtls.googleapis.comcounterpart.This incorrectly treats OAuth scopes such as
https://www.googleapis.com/auth/cloud-platformas service endpoints. OAuth scopes are not API endpoints and should not require an mTLS endpoint variant.Steps to Reproduce:
Open a pull request that modifies a Python file containing an OAuth scope string such as:
Ensure the file does not also contain
.mtls.googleapis.com.Let the
Continuous Integrationworkflow run.Observe the
File Content Compliance/Check for hardcoded googleapis.com endpointsstep.Expected Behavior:
The CI check should not fail for OAuth scope URLs under
https://www.googleapis.com/auth/, because they are not service endpoints and do not have mTLS endpoint counterparts.The check should continue to fail for hardcoded service endpoints such as
https://foo.googleapis.com/...when the corresponding.mtls.googleapis.comendpoint is missing.Observed Behavior:
The check fails because it treats the OAuth scope as a hardcoded endpoint.
Example from PR #6201:
The matched value in that file is an existing OAuth scope:
The relevant CI logic is in
.github/workflows/continuous-integration.yml, around lines 244-258:Because this is file-level matching, any changed file containing an OAuth scope can be classified as an endpoint-bearing file.
Environment Details:
Model Information:
🟡 Optional Information
Regression:
N/A.
Logs:
Example failed CI job:
https://github.com/google/adk-python/actions/runs/28122333977/job/83277473901?pr=6201
Screenshots / Video:
N/A.
Additional Context:
Related prior PR:
.github/workflows/check-file-contents.ymlworkflow, but it was closed without being merged..github/workflows/continuous-integration.yml, where the false positive is still reproducible.A possible fix is to classify matched URLs before building
FILES_WITH_ENDPOINTS, and exclude OAuth scopes underhttps://www.googleapis.com/auth/from the endpoint check.For example:
Minimal Reproduction Code:
How often has this issue occurred?:
https://www.googleapis.com/auth/...and does not contain.mtls.googleapis.com.Update after 8a7656b
After this issue was filed, the relevant check moved on
mainin commit 8a7656b:8a7656b
That commit consolidated the inline GitHub Actions compliance checks into
scripts/compliance_checks.pyand removed thecompliance-checkjob from.github/workflows/continuous-integration.yml.So the original problem description above is still valid, but the location that should be fixed has changed:
.github/workflows/continuous-integration.ymlmain:scripts/compliance_checks.pyThe current implementation is:
This still treats OAuth scope URLs such as
https://www.googleapis.com/auth/cloud-platformasgoogleapis.comendpoints. The fix should now be applied inscripts/compliance_checks.py, likely by extracting or matching non-scopegoogleapis.comURLs and excluding OAuth scopes underhttps://www.googleapis.com/auth/before requiring an.mtls.googleapis.comcounterpart.