Release: Google SecOps Extension v1.0.0

[dandye]

Overview

This PR prepares the google-secops extension for its v1.0.0 release. It establishes the GitHub Actions workflow required to distribute the extension via GitHub Releases.

Key Changes

1. Release Workflow: Added .github/workflows/release-google-secops.yml.
   • Triggered by tags matching google-secops-v*.
   • Packages extensions/google-secops/ into a root-level google-secops.zip.
   • Security: Action softprops/action-gh-release pinned to SHA a06a81a (v2.5.0).
   • Permissions: Added contents: write for release creation.
2. Configuration: Updated gemini-extension.json.
3. Cleanup: Removed redundant secops-setup-gemini-cli skill.
4. Documentation: Updated GEMINI.md with "Known Issues" and sanitized internal URLs.

Testing Instructions

Prerequisite: Ensure your ~/.gemini/settings.json has preview features and extension configuration enabled:

{
  "general": {
    "previewFeatures": true
  },
  "experimental": {
    "skills": true,
    "extensionConfig": true
  }
}

To test the installation from the release artifact:

# 1. Clean up existing installation
gemini extensions uninstall google-secops

# 2. Download and Unzip (creates google-secops/ folder)
curl -L -o google-secops.zip https://github.com/google/mcp-security/releases/download/google-secops-v1.0.0/google-secops.zip
unzip google-secops.zip

# 3. Install from the unzipped directory
gemini extensions install ./google-secops

FAQ

Q: I see an error When using Gemini API, you must specify the GEMINI_API_KEY environment variable.
A: This means your Gemini CLI is configured to use the Gemini API (default), but the API key is not set in your environment. You must export GEMINI_API_KEY (or set it in ~/.gemini/.env) for the CLI to function.

Verification

• Verified google-secops.zip structure.
• Verified release creation via GitHub Actions.

Known Issues

1. @google/gemini-cli@preview may be required for the extensionConfig to work
2. The extensionConfig is experimental. See Per-extension configuration google-gemini/gemini-cli#18247

• Values set by the user are persisted to ~/.gemini/extensions/google-secops/.env
• Could we reference those in ~/.gemini/extensions/google-secops/GEMINI.md to set the needed Cust ID, Region, Proj ID?

1. It is difficult to figure out the SERVER_URL
   • Outside of us, must find the correct MREP/REP/LEP
   • The default value for the SERVER_URL (https://chronicle.us.rep.googleapis.com/mcp) wasn't shown when configuring
     • I'm working on a gh issue and gh pr to the gemini cli repo that would show default values, but this is a side-quest
2. Cust ID, Region, Proj ID are still needed in GEMINI.md
   • They are in the .env and referenced in the GEMINI.md (i.e. where to look for .env) but Gemini CLI still prompts the user to enter them. Responding with: "look in that .env file" works sometimes.

• /settings/profile in the web application doesn't tell you your tenant's region. This has long been a thorn.

Cust ID, Region, Proj ID

In our docs, we recommend adding to your GEMINI.md:
"""
Remote MCP servers require specific environment context for every request. It is recommended to include these in a context file (e.g., GEMINI.md or system prompt) for your LLM:

When using the secops-hosted-mcp MCP Server, use these parameters for EVERY request:
Customer ID:
Region:
Project ID:
"""

Screenshots of installation testing

---

The user is prompted for SERVER_URL and PROJECT_ID on ext install (only if the experimental.extensionConfig setting is present. )

---

if the experimental.extensionConfig setting is NOT present, the MCP server is installed but is "Disconnected".

---

Since the installer hasn't configured Cust ID, Region, Proj ID, they are prompted for them on first use of the tool. Those prompts don't include info on where to find those values. /settings/profile doesn't tell you the region.

---

Default Value

[dandye]

I'm trying this:

  "settings": [
    {
      "name": "PROJECT_ID",
      "defaultValue": "secops-demo-env",
      "description": "Your Google Cloud Project ID (from /settings/profile).",
      "envVar": "PROJECT_ID",
      "sensitive": false
    },
    {
      "name": "CUSTOMER_ID",
      "defaultValue": "a13f6726-efed-452e-9008-8fe0d3cb0f75",
      "description": "Your Chronicle Customer UUID (from /settings/profile).",
      "envVar": "CUSTOMER_ID",
      "sensitive": false
    },
    {
      "name": "REGION",
      "defaultValue": "us",
      "description": "Your Chronicle Region (e.g. 'us', 'europe-west1').",
      "envVar": "REGION",
      "sensitive": false
    },
  "mcpServers": {
    "remote-mcp-secops": {
      "httpUrl": "${SERVER_URL}",
      "authProviderType": "google_credentials",
      "oauth": {
        "scopes": [
          "https://www.googleapis.com/auth/cloud-platform"
        ]
      },
      "headers": {
        "x-goog-user-project": "${PROJECT_ID}"
      },
      "env": {
        "PROJECT_ID": "${PROJECT_ID}",
        "CUSTOMER_ID": "${CUSTOMER_ID}",
        "REGION": "${REGION}"
      },

The env values in the remote-mcp-secops aren't used but they are also written to .env (~/.gemini/extensions/google-secops/.env) and I'm saying explicitly in the extension's GEMINI.md to use that file.