Migrate to modern Earth Engine authentication (service account + token-based)

[Copilot]

Google Earth Engine no longer issues OAuth2 credentials with client_id and client_secret, breaking the existing google.oauth2.credentials.Credentials authentication flow.

Changes

Authentication methods

• Added service account authentication (recommended for CI/CD)
• Added token-based authentication using modern EE credential format
• Removed deprecated OAuth2 manual credential construction
• Auto-detects authentication method from available environment variables

Environment variables

• EARTHENGINE_SERVICE_ACCOUNT: Service account JSON key (preferred)
• EARTHENGINE_PROJECT: Project ID (optional for service accounts, required/fallback for tokens)
• EARTHENGINE_TOKEN: Personal EE credentials (fallback method)

Security improvements

• Set 0600 permissions on credential files
• Added error handling for malformed credentials
• Replaced bare except with specific exception types

Usage

Service account (recommended):

# Automatically used if EARTHENGINE_SERVICE_ACCOUNT is set
# Script tries service account first, then falls back to token

Token-based (alternative):

# Automatically used if EARTHENGINE_TOKEN is set
# Project ID extracted from token or EARTHENGINE_PROJECT env var

Both methods use httplib2.Http() transport for CI/CD compatibility, following patterns from pytest-gee and geetools.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• pytest-gee.readthedocs.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Does this still work?</issue_title>
<issue_description>Hi there,

I am trying to make this work, but
1st. the credentials that earthengine provide do not contain client_id and client_secret anymore.
I copied those from my credentials page on google cloud, and merged those into my .json, which I then gave to github secrets.

GEE Python API is activated, the project is on publish. I try and try but get:

google.auth.exceptions.RefreshError: ('unauthorized_client: Unauthorized', {'error': 'unauthorized_client', 'error_description': 'Unauthorized'})
Error: Process completed with exit code 1.

Can you check if this works for you if you update your credentials? </issue_description>

Comments on the Issue (you are @copilot in this section)

@jdbcode Thanks for posting. Confirming that the workflow setup for the demo in this repo also does not work now. I'll try to figure out what is going on by the end of the week. @jdbcode Note: I added `scopes=["https://www.googleapis.com/auth/earthengine"]` to `google.oauth2.credentials.Credentials` without any other changes and it did not help. @12rambau In case you look for a way to run python tests, I created the [pytest-gee](https://github.com/gee-community/pytest-gee) for this purpose only and it includes up to date explainations to use it in a github context. In cas you simply want to run GEE stuff in a CI, have a look to the doc set up of [geetools](https://github.com/gee-community/geetools) it runs gee code for all the examples.

• Fixes Does this still work? #8

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[12rambau]

funny how copilot simply copied what we did in pytest-gee, he didn't even tried to hide it and proposed the exact same names for the variables. I'll reconsider twice before commenting starting from now.