From 5ad592c593e0be958af318a796d7bef70778d546 Mon Sep 17 00:00:00 2001
From: Spencer Tang <spencertang@google.com>
Date: Wed, 28 Jan 2026 15:51:35 -0500
Subject: [PATCH 1/2] fix(setup): Gracefully handle internal-only Cloud

Code API enablement Modify `setup_workload_identity.sh` to prevent script failure when enabling the internal-only `cloudcode-pa.googleapis.com` API. The API enablement command now includes `|| true`, allowing the script to continue for public users without permissions for this service.
---
 scripts/setup_workload_identity.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/setup_workload_identity.sh b/scripts/setup_workload_identity.sh
index 2a854f74f..4e144e7c5 100755
--- a/scripts/setup_workload_identity.sh
+++ b/scripts/setup_workload_identity.sh
@@ -211,7 +211,6 @@ print_header "Step 1: Enabling required Google Cloud APIs"
 required_apis=(
     "aiplatform.googleapis.com"
     "cloudaicompanion.googleapis.com"
-    "cloudcode-pa.googleapis.com"
     "cloudresourcemanager.googleapis.com"
     "cloudtrace.googleapis.com"
     "iam.googleapis.com"
@@ -222,6 +221,7 @@ required_apis=(
 )
 
 gcloud services enable "${required_apis[@]}" --project="${GOOGLE_CLOUD_PROJECT}"
+gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
 print_success "APIs enabled successfully."
 
 # Step 2: Create Workload Identity Pool

From d4956b139edbff5a22cd9088d63a34e991054d0d Mon Sep 17 00:00:00 2001
From: Spencer <spencer.tang12@gmail.com>
Date: Wed, 28 Jan 2026 15:57:12 -0500
Subject: [PATCH 2/2] Update scripts/setup_workload_identity.sh

Co-authored-by: gemini-cli[bot] <218312386+gemini-cli[bot]@users.noreply.github.com>
Signed-off-by: Spencer  <spencer.tang12@gmail.com>
---
 scripts/setup_workload_identity.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/setup_workload_identity.sh b/scripts/setup_workload_identity.sh
index 4e144e7c5..0a18500f2 100755
--- a/scripts/setup_workload_identity.sh
+++ b/scripts/setup_workload_identity.sh
@@ -219,7 +219,9 @@ required_apis=(
     "monitoring.googleapis.com"
     "sts.googleapis.com"
 )
-
+# Separately enable the internal-only Cloud Code API, ignoring errors
+# for public users who may not have access.
+gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
 gcloud services enable "${required_apis[@]}" --project="${GOOGLE_CLOUD_PROJECT}"
 gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
 print_success "APIs enabled successfully."