chore: librarian release pull request: 20260126T120558Z

[daniel-sanche]

PR created by the Librarian CLI to initialize a release. Merging this PR will auto trigger a release.

Librarian Version: v0.8.0
Language Image: us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:b8058df4c45e9a6e07f6b4d65b458d0d059241dd34c814f151c8bf6b89211209

google-auth: 2.49.0-dev0

2.49.0-dev0 (2026-01-26)

Features

• honor NO_GCE_CHECK environment variable (feat: honor NO_GCE_CHECK environment variable #1610) (383c9827)

• add configurable GCE Metadata Server retries (feat: add configurable GCE Metadata Server retries #1488) (454b441b)

• add cryptography as required dependency (feat: add cryptography as required dependency #1929) (52558ae2)

• Support the mTLS IAM domain for Certificate based Access (feat(iam): Support the mTLS IAM domain for Certificate based Access #1938) (8dcf91a1)

Bug Fixes

• resolve circular imports (fix: resolve circular imports #1942) (25c1b064)

• Use user_verification=preferred for ReAuth WebAuthn challenge (fix: Use user_verification=preferred for ReAuth WebAuthn challenge #1798) (3f88a240)

• removes content-header from AWS IMDS get request (fix: removes content-header from AWS IMDS get request #1934) (97bfea9e)

• detect correct auth when ADC env var is set but empty (fix: detect correct auth when ADC env var is set but empty #1374) (bfc07e10)

• replace deprecated utcfromtimestamp (fix: replace deprecated utcfromtimestamp #1799) (e431f20c)

[gemini-code-assist]

Summary of Changes

Hello @daniel-sanche, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated release preparation for the google-auth Python library, advancing its version to 2.49.0-dev0. The update integrates several new functionalities, such as enhanced GCE metadata server interaction and mTLS support, alongside crucial bug fixes. A significant underlying change involves streamlining dependencies by refactoring the rsa library's role, favoring cryptography for RSA operations while ensuring compatibility for existing rsa usage.

Highlights

• Version Update: The google-auth library is being updated from version 2.47.0 to 2.49.0-dev0.
• Dependency Refactoring: The rsa library has been removed as a direct dependency from the main setup.py requirements. It is now conditionally imported in google/auth/crypt/rsa.py and listed under testing_extra_require in setup.py, indicating a shift towards cryptography as the primary RSA implementation while maintaining backward compatibility.
• New Features: This release introduces several new features, including honoring the NO_GCE_CHECK environment variable, configurable GCE Metadata Server retries, and support for the mTLS IAM domain for Certificate based Access.
• Bug Fixes: Key bug fixes include resolving circular imports, removing content-header from AWS IMDS get requests, improving authentication detection when ADC environment variables are empty, and replacing deprecated utcfromtimestamp.
• Changelog Update: The CHANGELOG.md file has been updated to reflect all the new features and bug fixes for the 2.49.0-dev0 release.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the google-auth library to version 2.49.0-dev0. The main changes involve refactoring the rsa library dependency. It has been moved from a core dependency to a conditional import within google/auth/crypt/rsa.py and is now primarily a test dependency. This is a positive step towards deprecating the rsa library in favor of cryptography, improving the library's overall maintainability and efficiency. The changelog and version file have also been updated accordingly.

I am having trouble creating individual review comments. Click here to see my feedback.

google/auth/crypt/rsa.py (27)

The removal of the top-level import for _python_rsa and its subsequent conditional import within the __init__ methods is a good practice. This defers the loading of the deprecated rsa library until it's actually needed, which can improve startup performance and reduce the core dependency footprint. This aligns with the goal of transitioning to cryptography.

google/auth/crypt/rsa.py (39)

Adding ImportError to the RSAVerifier docstring is important. Since _python_rsa is now conditionally imported, an ImportError could be raised if rsa.key.PublicKey is used without the rsa library being installed, providing clearer error handling for users.

google/auth/crypt/rsa.py (48-50)

The conditional import of _python_rsa here is a good way to manage the dependency on the deprecated rsa library. It ensures that the library is only loaded when the specific rsa.key.PublicKey type is encountered, minimizing its impact on the overall package.

google/auth/crypt/rsa.py (90)

Similarly, adding ImportError to the RSASigner docstring is crucial. With the conditional import of _python_rsa, users attempting to use rsa.key.PrivateKey without the rsa library installed will now receive a more informative error.

google/auth/crypt/rsa.py (99-101)

This conditional import for _python_rsa in RSASigner mirrors the change in RSAVerifier. It's a sensible approach to gradually phase out the rsa library while maintaining compatibility for existing code paths that still rely on it.

setup.py (28-30)

Removing the rsa library from the main DEPENDENCIES list is a good move, aligning with the deprecation warning in _python_rsa.py and promoting the use of cryptography. This reduces the primary dependency burden.

setup.py (73-75)

Moving the rsa dependency to testing_extra_require with a clear comment is an appropriate transitional step. It ensures that existing tests that rely on the rsa library can still function while the library is being phased out from core dependencies.