🔴 Required Information
Describe the Bug:
The File Content Compliance CI check for hardcoded googleapis.com endpoints can fail on OAuth scope strings. The check scans each changed Python file for any googleapis.com URL, then requires the same file to contain an .mtls.googleapis.com counterpart.
This incorrectly treats OAuth scopes such as https://www.googleapis.com/auth/cloud-platform as service endpoints. OAuth scopes are not API endpoints and should not require an mTLS endpoint variant.
Steps to Reproduce:
-
Open a pull request that modifies a Python file containing an OAuth scope string such as:
scopes = ['https://www.googleapis.com/auth/cloud-platform']
-
Ensure the file does not also contain .mtls.googleapis.com.
-
Let the Continuous Integration workflow run.
-
Observe the File Content Compliance / Check for hardcoded googleapis.com endpoints step.
Expected Behavior:
The CI check should not fail for OAuth scope URLs under https://www.googleapis.com/auth/, because they are not service endpoints and do not have mTLS endpoint counterparts.
The check should continue to fail for hardcoded service endpoints such as https://foo.googleapis.com/... when the corresponding .mtls.googleapis.com endpoint is missing.
Observed Behavior:
The check fails because it treats the OAuth scope as a hardcoded endpoint.
Example from PR #6201:
❌ Found hardcoded googleapis.com endpoints without mTLS support.
The following files must define both standard and mTLS (.mtls.googleapis.com) endpoints
to support dynamic endpoint selection as required by security policy:
src/google/adk/tools/mcp_tool/mcp_session_manager.py
The matched value in that file is an existing OAuth scope:
scopes = ['https://www.googleapis.com/auth/cloud-platform']
The relevant CI logic is in .github/workflows/continuous-integration.yml, around lines 244-258:
FILES_WITH_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES)
if [ -n "$FILES_WITH_ENDPOINTS" ]; then
FILES_MISSING_MTLS=$(grep -L '.mtls.googleapis.com' $FILES_WITH_ENDPOINTS)
fi
Because this is file-level matching, any changed file containing an OAuth scope can be classified as an endpoint-bearing file.
Environment Details:
- ADK Library Version (pip show google-adk): N/A. This affects the repository CI workflow.
- Desktop OS: N/A.
- Python Version (python -V): N/A.
Model Information:
- Are you using LiteLLM: N/A.
- Which model is being used: N/A.
🟡 Optional Information
Regression:
N/A.
Logs:
Example failed CI job:
https://github.com/google/adk-python/actions/runs/28122333977/job/83277473901?pr=6201
Screenshots / Video:
N/A.
Additional Context:
Related prior PR:
A possible fix is to classify matched URLs before building FILES_WITH_ENDPOINTS, and exclude OAuth scopes under https://www.googleapis.com/auth/ from the endpoint check.
For example:
FILES_WITH_ENDPOINTS=$(
grep -HEo 'https?://[a-zA-Z0-9.-]+\.googleapis\.com[^"'\''[:space:]]*' $CHANGED_FILES \
| grep -vE 'https://www\.googleapis\.com/auth(/|$)' \
| cut -d: -f1 \
| sort -u || true
)Minimal Reproduction Code:
scopes = ['https://www.googleapis.com/auth/cloud-platform']
How often has this issue occurred?:
- Always (100%) when a changed Python file contains an OAuth scope matching
https://www.googleapis.com/auth/... and does not contain .mtls.googleapis.com.
🔴 Required Information
Describe the Bug:
The
File Content ComplianceCI check for hardcodedgoogleapis.comendpoints can fail on OAuth scope strings. The check scans each changed Python file for anygoogleapis.comURL, then requires the same file to contain an.mtls.googleapis.comcounterpart.This incorrectly treats OAuth scopes such as
https://www.googleapis.com/auth/cloud-platformas service endpoints. OAuth scopes are not API endpoints and should not require an mTLS endpoint variant.Steps to Reproduce:
Open a pull request that modifies a Python file containing an OAuth scope string such as:
Ensure the file does not also contain
.mtls.googleapis.com.Let the
Continuous Integrationworkflow run.Observe the
File Content Compliance/Check for hardcoded googleapis.com endpointsstep.Expected Behavior:
The CI check should not fail for OAuth scope URLs under
https://www.googleapis.com/auth/, because they are not service endpoints and do not have mTLS endpoint counterparts.The check should continue to fail for hardcoded service endpoints such as
https://foo.googleapis.com/...when the corresponding.mtls.googleapis.comendpoint is missing.Observed Behavior:
The check fails because it treats the OAuth scope as a hardcoded endpoint.
Example from PR #6201:
The matched value in that file is an existing OAuth scope:
The relevant CI logic is in
.github/workflows/continuous-integration.yml, around lines 244-258:Because this is file-level matching, any changed file containing an OAuth scope can be classified as an endpoint-bearing file.
Environment Details:
Model Information:
🟡 Optional Information
Regression:
N/A.
Logs:
Example failed CI job:
https://github.com/google/adk-python/actions/runs/28122333977/job/83277473901?pr=6201
Screenshots / Video:
N/A.
Additional Context:
Related prior PR:
.github/workflows/check-file-contents.ymlworkflow, but it was closed without being merged..github/workflows/continuous-integration.yml, where the false positive is still reproducible.A possible fix is to classify matched URLs before building
FILES_WITH_ENDPOINTS, and exclude OAuth scopes underhttps://www.googleapis.com/auth/from the endpoint check.For example:
Minimal Reproduction Code:
How often has this issue occurred?:
https://www.googleapis.com/auth/...and does not contain.mtls.googleapis.com.