chore: Cherry-picked changes from upstream (#54)

* Update troubleshooting docs for Python (#488)

Closes google-github-actions/auth#487

* Update troubleshooting docs for Python (#488)

Closes google-github-actions/auth#487

* Update troubleshooting docs for Python (#488)

Closes google-github-actions/auth#487

* Add linters (#499)

* Update deps (#500)

* auto cherry pick updated

test.yml updated

package json updated

auto-cherry-pick updated

* chore: dist updated (#56)

* Update auto_cherry_pick.yml

Create claude_review.yml

Update auto_cherry_pick.yml

Update auto_cherry_pick.yml

auto-cherry-pick updated

* Update auto_cherry_pick.yml

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Raj Kumar Panda <[email protected]>

Author: Raj-StepSecurity

.github/workflows/auto_cherry_pick.yml

@@ -7,8 +7,13 @@ on:
         description: "Base branch to create the PR against"
         required: true
         default: "main"
-  schedule:
-    - cron: "0 0 * * 1"
+      mode:
+        description: "Run mode: cherry-pick or verify"
+        required: false
+        default: "cherry-pick"
+
+  pull_request:
+    types: [labeled, opened, synchronize]
 
 permissions:
   contents: write
@@ -17,9 +22,11 @@ permissions:
   issues: write
 
 jobs:
-  audit-fix:
-    uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@upstream-Changes-CherryPick
+  cherry-pick:
+    if: github.event_name == 'workflow_dispatch' || contains(fromJson(toJson(github.event.pull_request.labels)).*.name, 'review-required')
+    uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@feature/verify-cherry-pick
     with:
       original-owner: "google-github-actions"
       repo-name: "auth"
-      base_branch: ${{ inputs.base_branch || 'main' }}
+      base_branch: ${{ inputs.base_branch || 'main' }}
+      mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode }}

.github/workflows/claude_review.yml

@@ -0,0 +1,18 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, labeled]
+
+jobs:
+  code-review:
+      uses: step-security/reusable-workflows/.github/workflows/claude_review.yml@v1
+      secrets:
+        anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+      
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write
+  id-token: write

.github/workflows/test.yml

@@ -29,13 +29,13 @@ concurrency:
   group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: 'bash'
 
-permissions:
-  contents: read
-
 jobs:
   unit:
     name: 'unit'
@@ -51,7 +51,7 @@ jobs:
 
       - uses: 'actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e' # v4.3.0
         with:
-          node-version: '20.x'
+          node-version-file: 'package.json'
 
       - name: 'npm build'
         run: 'npm ci && npm run build'
@@ -91,7 +91,7 @@ jobs:
 
       - uses: 'actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e' # v4.3.0
         with:
-          node-version: '20.x'
+          node-version-file: 'package.json'
 
       - name: 'npm build'
         run: 'npm ci && npm run build'
@@ -136,7 +136,7 @@ jobs:
 
       - uses: 'actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e' # v4.3.0
         with:
-          node-version: '20.x'
+          node-version-file: 'package.json'
 
       - name: 'npm build'
         run: 'npm ci && npm run build'

README.md

@@ -308,7 +308,6 @@ regardless of the authentication mechanism.
     "token_format" is "id_token".
 
 
-
 <a id="setup"></a>
 ## Setup
 

bin/runTests.sh

@@ -16,4 +16,6 @@ set -eEuo pipefail
 FILES="$(node -e "process.stdout.write(require('node:fs').readdirSync('./', { recursive: true }).filter((e) => {return e.endsWith('.test.ts') && !e.startsWith('node_modules');}).sort().join(' '));")"
 
 set -x
+
+# shellcheck disable=SC2086
 exec node --require ts-node/register --test-reporter spec --test ${FILES}

dist/main/index.js

@@ -187,6 +187,69 @@ jobs:
       run: |-
         curl https://myapp-uvehjacqzq.a.run.app \
           --header "Authorization: Bearer ${{ steps.auth.outputs.id_token }}"
+
+    # Example of using ID token in Python code
+    - id: 'python-example'
+      run: |-
+        python -c "
+        import os
+        import requests
+
+        # ID token is available as environment variable
+        id_token = os.environ.get('GOOGLE_ID_TOKEN', '${{ steps.auth.outputs.id_token }}')
+
+        # Use the token to invoke a Cloud Run service
+        response = requests.get(
+            'https://myapp-uvehjacqzq.a.run.app',
+            headers={'Authorization': f'Bearer {id_token}'}
+        )
+        print(response.text)
+        "
+```
+
+### Using Default Credentials with Scopes in Python
+
+When using Workload Identity Federation with Python libraries, you may need to
+add scopes before refreshing credentials:
+
+```yaml
+jobs:
+  job_id:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+    - uses: 'actions/checkout@v4'
+
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v2'
+      with:
+        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
+        service_account: '[email protected]'
+
+    - id: 'python-auth'
+      run: |-
+        python -c "
+        from google.auth import default
+        from google.auth.transport.requests import Request
+
+        # Get default credentials
+        credentials, project = default()
+
+        # Add scopes before refreshing for impersonation
+        credentials = credentials.with_scopes(
+            ['https://www.googleapis.com/auth/cloud-platform']
+        )
+
+        # Refresh to get the token
+        credentials.refresh(request=Request())
+
+        # Now you can use the credentials
+        print(f'Access token: {credentials.token}')
+        if hasattr(credentials, 'id_token'):
+            print(f'ID token: {credentials.id_token}')
+        "
 ```
 
 [github-markdown-toc]: https://github.blog/changelog/2021-04-13-table-of-contents-support-in-markdown-files/

dist/post/index.js

@@ -230,6 +230,53 @@ tool like `jq`:
 cat credentials.json | jq -r tostring
 ```
 
+<a name="cannot-refresh"></a>
+
+## Cannot refresh credentials to retrieve an ID token
+
+If you get an error like:
+
+```text
+google.auth.exceptions.RefreshError: ('Unable to acquire impersonated credentials', '{"error": {"code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT"}}')
+```
+
+when trying to refresh credentials in Python code to get an ID token, this is
+usually because the credentials are missing required scopes. The Google Auth
+library requires scopes to be set when refreshing credentials for impersonation.
+
+To fix this issue, add the required scopes before refreshing:
+
+```python
+from google.auth import default
+from google.auth.transport.requests import Request
+
+credentials, project = default()
+
+# Add scopes before refreshing
+credentials = credentials.with_scopes(
+    ["https://www.googleapis.com/auth/cloud-platform"]
+)
+credentials.refresh(request=Request())
+
+# Now you can access the ID token
+print(credentials.id_token)
+```
+
+Alternatively, you can use the `token_format` parameter of this action to
+generate an ID token directly:
+
+```yaml
+- uses: 'google-github-actions/auth@v2'
+  with:
+    workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
+    service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
+    token_format: 'id_token'
+    id_token_audience: 'https://example.com'
+```
+
+This will export the ID token as an environment variable that you can use in
+your Python code.
+
 ## Organizational Policy Constraints
 
 > **ℹ️ NOTE!** Your Google Cloud organization administrator controls these