fix: use native OS certificate store for TLS

[manojbadam]

Summary

• Switch reqwest from rustls-tls feature (bundled Mozilla roots via webpki-roots) to rustls-tls-native-roots (OS native certificate store via rustls-native-certs)
• Removes webpki-roots dependency

Motivation

In enterprise environments, organizations use internal/corporate certificate authorities. The bundled Mozilla root store does not include these, causing TLS handshake failures. Using the OS native trust store allows the CLI to respect any custom CA certificates installed by the user or their IT/admin team.

Test plan

• All existing tests pass (cargo test)
• Verify CLI works in an environment with a corporate CA certificate installed in the system trust store

🤖 Generated with Claude Code

[changeset-bot]

🦋 Changeset detected

Latest commit: 3368315

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@googleworkspace/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the application's ability to handle TLS connections in diverse network environments, particularly those with corporate or custom certificate authorities. By transitioning to the native OS certificate store for TLS validation, the application can now seamlessly trust certificates installed by users or IT administrators, resolving potential TLS handshake failures that occurred when relying solely on bundled Mozilla root certificates.

Highlights

• TLS Certificate Handling: Switched the reqwest library's TLS backend from using bundled Mozilla root certificates (rustls-tls feature with webpki-roots) to utilizing the native OS certificate store (rustls-tls-native-roots feature with rustls-native-certs).
• Dependency Management: Removed the webpki-roots dependency, which was previously used for bundled root certificates, and introduced rustls-native-certs to enable native OS certificate store integration.

Changelog

• .changeset/use-native-tls-roots.md
  • Added a new changeset file documenting the switch to native OS certificate store for TLS.
• Cargo.lock
  • Removed webpki-roots dependency.
  • Added rustls-native-certs dependency.
• Cargo.toml
  • Updated reqwest dependency to use the rustls-tls-native-roots feature instead of rustls-tls.

Activity

• The pull request description indicates it was generated with Claude Code.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Generative AI Prohibited Use Policy, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to resolve TLS handshake failures in enterprise environments by switching to the native OS certificate store. The change correctly updates reqwest to use rustls-tls-native-roots. However, a critical issue remains: the authentication library, yup-oauth2, is not configured to use the native store and will continue to use bundled certificates, causing authentication to fail in the target environments. The fix is therefore incomplete. I've left a detailed comment on how to address this.

[googleworkspace-bot]

/gemini review

[gemini-code-assist]

Code Review

This pull request correctly switches the reqwest dependency to use the native OS certificate store for TLS by changing the feature flag from rustls-tls to rustls-tls-native-roots. This change, reflected in Cargo.toml and Cargo.lock, is well-motivated for supporting enterprise environments with custom CAs. The implementation is sound and I have no suggestions for improvement.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.09%. Comparing base (95bb24e) to head (3368315).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #302   +/-   ##
=======================================
  Coverage   59.09%   59.09%           
=======================================
  Files          36       36           
  Lines       12953    12953           
=======================================
  Hits         7654     7654           
  Misses       5299     5299           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.