[awf] API Proxy: Gemini engine fails when GEMINI_API_KEY is a secret but not in runner environment

[lpcox]

Problem

When using engine: gemini in a workflow, the Gemini CLI fails with exit code 41 (no authentication configured) even though GEMINI_API_KEY is correctly set as a repository secret. The failure log shows:

[INFO] API proxy enabled: OpenAI=false, Anthropic=false, Copilot=false
[WARN] ⚠️  API proxy enabled but no API keys found in environment

The GEMINI_API_BASE_URL is being set to `(host.docker.internal/redacted) (the AWF api-proxy), but the proxy reports no Gemini support.

Context

• Original issue: Gemini engine fails with AWF proxy: GEMINI_API_BASE_URL points to proxy but proxy has no Gemini handler gh-aw#25294

Root Cause

In src/docker-manager.ts lines 1657–1673, GEMINI_API_BASE_URL is only set to the api-proxy address when config.geminiApiKey is present. However, in the reported scenario, the api-proxy is enabled (--enable-api-proxy) but GEMINI_API_KEY is not being forwarded to the AWF process — it's being held as a repository secret injected into the GitHub Actions environment, not the AWF runner environment.

The [WARN] API proxy enabled but no API keys found means config.geminiApiKey is undefined at compose generation time (line 1672). Despite this, when the agent receives GEMINI_API_KEY through --env-all or explicit env forwarding, it gets excluded from the agent environment at line 600 (EXCLUDED_ENV_VARS.add('GEMINI_API_KEY')) when api-proxy is enabled — leaving the Gemini CLI with no credential.

Proposed Solution

1. src/docker-manager.ts: When --enable-api-proxy is active and GEMINI_API_KEY is excluded from the agent environment (line 600), always set GEMINI_API_BASE_URL to the api-proxy address for port 10003 — regardless of whether the key is detected at compose-generation time. The api-proxy will return 503 if no key is available, which is a clearer failure than a silent auth error.

2. src/docker-manager.ts: Change the log at line 1672 from [WARN] to [ERROR] when GEMINI_API_KEY is excluded but no key is configured — this surfaces the misconfiguration at startup rather than silently failing.

3. containers/api-proxy/server.js: Verify the Gemini listener on port 10003 is initialized and that the health check reflects Gemini availability. Update the [INFO] API proxy enabled: ... log line to include Gemini=true/false.

4. Docs: Update the api-proxy documentation to clarify that GEMINI_API_KEY must be present in the runner environment (not just repository secrets) when --enable-api-proxy is used, or add a mechanism to read it from the Actions secret at runtime.

Generated by Firewall Issue Dispatcher · ● 1.6M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to existing issues:

• [awf] API Proxy / Agent: Gemini CLI fails with ENOENT project registry and missing auth when api-proxy enabled #1933 — [awf] API Proxy / Agent: Gemini CLI fails with ENOENT project registry and missing auth when api-proxy enabled — Describes the same root cause (GEMINI_API_KEY not available to the AWF process → api-proxy reports no keys → Gemini CLI auth fails with exit code 41). This issue was created from the same workflow run and overlaps significantly on the auth failure component; it additionally covers the ENOENT project-registry failure.
• [awf] api-proxy: Gemini engine fails when GEMINI_API_KEY not forwarded to api-proxy sidecar #1806 (closed) — [awf] api-proxy: Gemini engine fails when GEMINI_API_KEY not forwarded to api-proxy sidecar — Describes the identical root cause and references the same upstream issue (gh-aw#25294). It was closed as completed, so it may be worth checking whether that fix covered this scenario.

If one of these addresses your concern, please consider closing this issue as a duplicate or merging the discussion there. Otherwise, feel free to clarify how your issue differs (e.g., a regression after #1806 was resolved, or a distinct failure path)!

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #1931 · ● 300.5K · ◷