feat: add Vertex AI support via use-vertex inputs

[nh3500]

Summary

Adds an optional Vertex AI path to the action, alongside the existing claude-api-key flow. Motivation: organizations that have standardized on Google Cloud often want Claude billing and access centralized in Vertex AI rather than managing per-repo ANTHROPIC_API_KEY secrets — for those teams, the current required-API-key surface makes this action unusable.

This change is fully backward-compatible: every existing default preserves the current behavior, and only the addition of new optional kwargs to FindingsFilter requires touching one existing test assertion.

What changes

New action inputs

Input	Default	Notes
use-vertex	'false'	Enables Vertex AI mode
vertex-region	'global'	Vertex region (e.g. global, us-east5)
vertex-project-id	''	GCP project hosting Vertex AI; required when use-vertex is true

claude-api-key is now required: false (was true). The action's auth pre-flight check now passes if either an API key or use-vertex + vertex-project-id are provided. The direct-API call sites are unchanged.

Code changes

The action has two Claude call points:

1. Main security audit — SimpleClaudeRunner spawns the claude CLI as a subprocess. Claude Code natively supports Vertex via CLAUDE_CODE_USE_VERTEX=1 + ANTHROPIC_VERTEX_PROJECT_ID + CLOUD_ML_REGION. No code change needed — just env passthrough in action.yml.
2. False-positive findings filter — ClaudeAPIClient constructs Anthropic(api_key=...) directly. Now accepts use_vertex=True and constructs AnthropicVertex(region=..., project_id=...) instead. Auth uses Application Default Credentials, so callers must run google-github-actions/auth before invoking this action.

The proactive validate_api_access() probe is skipped in Vertex mode. Reason: it currently calls claude-3-5-haiku-20241022 as a low-cost test, but on Vertex that specific model must be enabled in the caller's GCP project, which is not guaranteed and would produce confusing failures. Real auth/quota errors still surface on the first actual filter call (which has its own retry/error handling), so the pre-flight probe added no value in Vertex mode.

Example usage

- uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
    service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}

- uses: anthropics/claude-code-security-review@main
  with:
    use-vertex: 'true'
    vertex-project-id: my-gcp-project
    vertex-region: global

Tests

• Added test_claude_api_client.py covering both constructors, env-var fallback, missing-project error path, and the validation-skip behavior in Vertex mode.
• Added two Vertex coverage cases in test_helper_functions.py for initialize_findings_filter:
  • Vertex env vars enable filtering with the right kwargs
  • Vertex flag without ANTHROPIC_VERTEX_PROJECT_ID falls back to hard-exclusions-only
• Updated one existing kwargs assertion to include the new optional fields.
• Full suite: 183/183 passing locally (was 173; 10 new tests added).

Backward compatibility

Every change is additive:

• All new inputs default to off / empty
• All new constructor kwargs default to False / None
• Existing direct-API path is byte-for-byte unchanged at runtime when use-vertex is not set

Existing users see no behavior difference and don't need to change their workflow files.

Why this is worth merging

• Removes a hard dependency on ANTHROPIC_API_KEY for GCP-centric orgs — Vertex auth via WIF is more secure (short-lived tokens, IAM-controlled, no per-repo secret management).
• Consolidates billing for orgs that already pay for Claude through Vertex.
• Aligns with claude-code-action which already accepts use_vertex: 'true' — this brings the security review action to parity.

Test plan

• Unit tests added and passing locally (183/183)
• Maintainer to validate against an actual Vertex-backed run if there's an internal test setup
• (After merge) bump our consumer workflow to upstream @v...