engine: gemini — API key rejected by proxy sidecar despite valid key
When using engine: gemini in an agentic workflow, the Gemini API returns API_KEY_INVALID even though the key is valid and confirmed working via direct curl requests.
Evidence
- The validation step passes:
✅ GEMINI_API_KEY: Configured
- Direct curl to
generativelanguage.googleapis.com with the same key succeeds and returns model data
- The workflow fails immediately with:
API key not valid. Please pass a valid API key.
status: INVALID_ARGUMENT
Proxy configuration from logs
[INFO] API proxy enabled: OpenAI=false, Anthropic=false, Copilot=false, Gemini=true
The lock file routes Gemini calls through the proxy sidecar:
GEMINI_API_BASE_URL: http://host.docker.internal:10003
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}Suspected cause
The API proxy sidecar at host.docker.internal:10003 appears to not be forwarding the API key correctly to generativelanguage.googleapis.com, or is stripping/modifying it in transit.
Reproduction
- Create a workflow with
engine: gemini
- Add a valid
GEMINI_API_KEY as a repo secret
- Run the workflow — validation passes but agent execution fails with
API_KEY_INVALID
Environment
- gh-aw compiler: v0.68.1
- Gemini CLI: bundled version from
node/24.14.1
- Runner: ubuntu-latest
engine: gemini— API key rejected by proxy sidecar despite valid keyWhen using
engine: geminiin an agentic workflow, the Gemini API returnsAPI_KEY_INVALIDeven though the key is valid and confirmed working via directcurlrequests.Evidence
✅ GEMINI_API_KEY: Configuredgenerativelanguage.googleapis.comwith the same key succeeds and returns model dataProxy configuration from logs
The lock file routes Gemini calls through the proxy sidecar:
Suspected cause
The API proxy sidecar at
host.docker.internal:10003appears to not be forwarding the API key correctly togenerativelanguage.googleapis.com, or is stripping/modifying it in transit.Reproduction
engine: geminiGEMINI_API_KEYas a repo secretAPI_KEY_INVALIDEnvironment
node/24.14.1