From 4d2c7c6e1052d01b903f8c448040cca75475cb70 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Sat, 25 Apr 2026 17:40:31 +0100
Subject: [PATCH] Validate GCP OIDC configurations

---
 lib/start-proxy-action.js     | 18 +++++++++++++++++-
 src/start-proxy/types.test.ts | 15 +++++++++++++++
 src/start-proxy/types.ts      | 32 +++++++++++++++++++++++++++++++-
 3 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index 66b5fbf35..74ffff232 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -122053,11 +122053,20 @@ var cloudsmithConfigSchema = {
 function isCloudsmithConfig(config) {
   return validateSchema(cloudsmithConfigSchema, config);
 }
+var gcpConfigSchema = {
+  "workload-identity-provider": string,
+  "service-account": optional(string),
+  audience: optional(string)
+};
+function isGCPConfig(config) {
+  return validateSchema(gcpConfigSchema, config);
+}
 var oidcSchemas = [
   { schema: azureConfigSchema, name: "Azure" },
   { schema: awsConfigSchema, name: "AWS" },
   { schema: jfrogConfigSchema, name: "JFrog" },
-  { schema: cloudsmithConfigSchema, name: "Cloudsmith" }
+  { schema: cloudsmithConfigSchema, name: "Cloudsmith" },
+  { schema: gcpConfigSchema, name: "GCP" }
 ];
 function credentialToStr(credential) {
   let result = `Type: ${credential.type};`;
@@ -122101,6 +122110,13 @@ function credentialToStr(credential) {
     appendIfDefined("Cloudsmith Namespace", credential.namespace);
     appendIfDefined("Cloudsmith Service Slug", credential["service-slug"]);
     appendIfDefined("Cloudsmith API Host", credential["api-host"]);
+  } else if (isGCPConfig(credential)) {
+    appendIfDefined(
+      "GCP Workload Identity Provider",
+      credential["workload-identity-provider"]
+    );
+    appendIfDefined("GCP Service Account", credential["service-account"]);
+    appendIfDefined("GCP Audience", credential.audience);
   }
   return result;
 }
diff --git a/src/start-proxy/types.test.ts b/src/start-proxy/types.test.ts
index c89d42fe3..55f8ab41f 100644
--- a/src/start-proxy/types.test.ts
+++ b/src/start-proxy/types.test.ts
@@ -126,6 +126,21 @@ test("credentialToStr - pretty-prints valid Cloudsmith OIDC configurations", (t)
   );
 });
 
+test("credentialToStr - pretty-prints valid GCP OIDC configurations", (t) => {
+  const credential: types.Credential = {
+    type: "maven_credential",
+    url: "https://localhost",
+    ...(makeFromSchema(true, types.gcpConfigSchema) as types.GCPConfig),
+  };
+
+  const str = types.credentialToStr(credential);
+
+  t.is(
+    "Type: maven_credential; Url: https://localhost; GCP Workload Identity Provider: value-for-workload-identity-provider; GCP Service Account: value-for-service-account; GCP Audience: value-for-audience;",
+    str,
+  );
+});
+
 test("credentialToStr - hides passwords", (t) => {
   const secret = "password123";
   const credential = {
diff --git a/src/start-proxy/types.ts b/src/start-proxy/types.ts
index e35b77acb..98c23662a 100644
--- a/src/start-proxy/types.ts
+++ b/src/start-proxy/types.ts
@@ -135,16 +135,39 @@ export function isCloudsmithConfig(
   return json.validateSchema(cloudsmithConfigSchema, config);
 }
 
+/** A schema for GCP OIDC configurations. */
+export const gcpConfigSchema = {
+  "workload-identity-provider": json.string,
+  "service-account": json.optional(json.string),
+  audience: json.optional(json.string),
+} as const satisfies json.Schema;
+
+/** Configuration for GCP OIDC. */
+export type GCPConfig = json.FromSchema<typeof gcpConfigSchema>;
+
+/** Decides whether `config` is a GCP OIDC configuration. */
+export function isGCPConfig(
+  config: UnvalidatedObject<AuthConfig>,
+): config is GCPConfig {
+  return json.validateSchema(gcpConfigSchema, config);
+}
+
 /** An array of all OIDC configuration schemas along with output-friendly names. */
 export const oidcSchemas = [
   { schema: azureConfigSchema, name: "Azure" },
   { schema: awsConfigSchema, name: "AWS" },
   { schema: jfrogConfigSchema, name: "JFrog" },
   { schema: cloudsmithConfigSchema, name: "Cloudsmith" },
+  { schema: gcpConfigSchema, name: "GCP" },
 ];
 
 /** Represents all supported OIDC configurations. */
-export type OIDC = AzureConfig | AWSConfig | JFrogConfig | CloudsmithConfig;
+export type OIDC =
+  | AzureConfig
+  | AWSConfig
+  | JFrogConfig
+  | CloudsmithConfig
+  | GCPConfig;
 
 /** All authentication-related fields. */
 export type AuthConfig = UsernamePassword | Token | OIDC;
@@ -207,6 +230,13 @@ export function credentialToStr(credential: Credential): string {
     appendIfDefined("Cloudsmith Namespace", credential.namespace);
     appendIfDefined("Cloudsmith Service Slug", credential["service-slug"]);
     appendIfDefined("Cloudsmith API Host", credential["api-host"]);
+  } else if (isGCPConfig(credential)) {
+    appendIfDefined(
+      "GCP Workload Identity Provider",
+      credential["workload-identity-provider"],
+    );
+    appendIfDefined("GCP Service Account", credential["service-account"]);
+    appendIfDefined("GCP Audience", credential.audience);
   }
 
   return result;