Problem
The Gemini CLI fails with exit code 41 when invoked through the AWF api-proxy with two compounding failures:
ENOENT: no such file or directory, rename '.../projects.json.tmp' -> '.../projects.json' — Gemini CLI cannot write its project registry during initialization.Please set an Auth method ... GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA — No authentication is configured despite the API proxy being enabled.
Log evidence:
[WARN] API proxy enabled but no API keys found in environment
Failed to save project registry: Error: ENOENT: no such file or directory,
rename '.../projects.json.tmp' -> '.../projects.json'
Please set an Auth method in your settings.json or specify one of the following
environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI,
GOOGLE_GENAI_USE_GCA
[WARN] Command completed with exit code: 41
Context
Root Cause
Two separate issues:
1. Project registry ENOENT: The Gemini CLI attempts to write projects.json at ~/.gemini/ inside the agent container. In src/docker-manager.ts line 985–987, ~/.gemini is bind-mounted from the host (\$\{effectiveHome}/.gemini:/host\$\{effectiveHome}/.gemini:rw). If ~/.gemini/ does not exist on the host at workflow run time, the bind mount creates it as a directory, but Gemini CLI's tmp-file rename pattern fails because the directory structure inside may not match expectations (e.g., parent directory missing for projects.json.tmp).
2. No API key: When api-proxy is enabled, GEMINI_API_KEY is added to EXCLUDED_ENV_VARS (line 600 of src/docker-manager.ts), but GEMINI_API_BASE_URL is only set to the proxy when config.geminiApiKey is truthy (line 1657). If the key isn't available to the AWF process (only in GitHub Actions secrets), GEMINI_API_BASE_URL is not set, and the Gemini CLI finds no authentication method.
Proposed Solution
-
src/docker-manager.ts: Pre-create ~/.gemini/ directory on the host before mounting it (similar to how agent-session-state is created at lines 1867–1878). Ensure the directory exists before the compose config is generated.
-
src/docker-manager.ts: Decouple GEMINI_API_BASE_URL assignment from config.geminiApiKey presence. When --enable-api-proxy is active, always set GEMINI_API_BASE_URL to the proxy and always add GEMINI_API_KEY to EXCLUDED_ENV_VARS. The proxy returns 503 if the key isn't configured — a clear failure vs. a confusing auth error.
-
containers/api-proxy/server.js: Add the Gemini listener status to the API proxy enabled: info log (currently only shows OpenAI/Anthropic/Copilot).
-
Docs: Document that GEMINI_API_KEY must be accessible in the runner environment (not only as a GitHub Actions secret) when using --enable-api-proxy.
Generated by Firewall Issue Dispatcher · ● 1.6M · ◷
Problem
The Gemini CLI fails with exit code 41 when invoked through the AWF api-proxy with two compounding failures:
ENOENT: no such file or directory, rename '.../projects.json.tmp' -> '.../projects.json'— Gemini CLI cannot write its project registry during initialization.Please set an Auth method ... GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA— No authentication is configured despite the API proxy being enabled.Log evidence:
Context
gemini, CLI version: v0.65.0, AWF: v0.65.0Root Cause
Two separate issues:
1. Project registry ENOENT: The Gemini CLI attempts to write
projects.jsonat~/.gemini/inside the agent container. Insrc/docker-manager.tsline 985–987,~/.geminiis bind-mounted from the host (\$\{effectiveHome}/.gemini:/host\$\{effectiveHome}/.gemini:rw). If~/.gemini/does not exist on the host at workflow run time, the bind mount creates it as a directory, but Gemini CLI's tmp-file rename pattern fails because the directory structure inside may not match expectations (e.g., parent directory missing forprojects.json.tmp).2. No API key: When api-proxy is enabled,
GEMINI_API_KEYis added toEXCLUDED_ENV_VARS(line 600 ofsrc/docker-manager.ts), butGEMINI_API_BASE_URLis only set to the proxy whenconfig.geminiApiKeyis truthy (line 1657). If the key isn't available to the AWF process (only in GitHub Actions secrets),GEMINI_API_BASE_URLis not set, and the Gemini CLI finds no authentication method.Proposed Solution
src/docker-manager.ts: Pre-create~/.gemini/directory on the host before mounting it (similar to howagent-session-stateis created at lines 1867–1878). Ensure the directory exists before the compose config is generated.src/docker-manager.ts: DecoupleGEMINI_API_BASE_URLassignment fromconfig.geminiApiKeypresence. When--enable-api-proxyis active, always setGEMINI_API_BASE_URLto the proxy and always addGEMINI_API_KEYtoEXCLUDED_ENV_VARS. The proxy returns 503 if the key isn't configured — a clear failure vs. a confusing auth error.containers/api-proxy/server.js: Add the Gemini listener status to theAPI proxy enabled:info log (currently only shows OpenAI/Anthropic/Copilot).Docs: Document that
GEMINI_API_KEYmust be accessible in the runner environment (not only as a GitHub Actions secret) when using--enable-api-proxy.