.github/actionlint.yml

@@ -1,5 +0,0 @@
-paths:
-  '**/*.yml':
-    ignore:
-      # https://github.com/rhysd/actionlint/issues/559
-      - 'invalid runner name "node24"'

README.md

@@ -39,7 +39,7 @@ support](https://cloud.google.com/support).**
     gha-creds-*.json
     ```
 
--   This action runs using Node 24. Use a [runner
+-   This action runs using Node 20. Use a [runner
     version](https://github.com/actions/virtual-environments) that supports this
     version of Node or newer.
 
@@ -60,7 +60,7 @@ jobs:
     steps:
     - uses: 'actions/checkout@v4'
 
-    - uses: 'google-github-actions/auth@v3'
+    - uses: 'google-github-actions/auth@v2'
       with:
         project_id: 'my-project'
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@@ -249,7 +249,7 @@ regardless of the authentication mechanism.
       job_id:
         steps:
         - uses: 'actions/checkout@v4' # Must come first!
-        - uses: 'google-github-actions/auth@v3'
+        - uses: 'google-github-actions/auth@v2'
      ```
 
 -   `export_environment_variables`: (Optional) If true, the action will export
@@ -434,7 +434,7 @@ These instructions use the [gcloud][gcloud] command-line tool.
     Actions YAML:
 
     ```yaml
-    - uses: 'google-github-actions/auth@v3'
+    - uses: 'google-github-actions/auth@v2'
       with:
         project_id: 'my-project'
         workload_identity_provider: '...' # "projects/123456789/locations/global/workloadIdentityPools/github/providers/my-repo"
@@ -598,7 +598,7 @@ These instructions use the [gcloud][gcloud] command-line tool.
     Actions YAML:
 
     ```yaml
-    - uses: 'google-github-actions/auth@v3'
+    - uses: 'google-github-actions/auth@v2'
       with:
         service_account: '...' # my-service-account@my-project.iam.gserviceaccount.com
         workload_identity_provider: '...' # "projects/123456789/locations/global/workloadIdentityPools/github/providers/my-repo"
@@ -667,7 +667,7 @@ These instructions use the [gcloud][gcloud] command-line tool.
     the GitHub Actions YAML:
 
     ```yaml
-    - uses: 'google-github-actions/auth@v3'
+    - uses: 'google-github-actions/auth@v2'
       with:
         credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' # Replace with the name of your GitHub Actions secret
     ```

action.yml

@@ -138,6 +138,30 @@ inputs:
     default: ''
     required: false
 
+  # retries - TODO - remove in v3.0
+  retries:
+    description: |-
+      Number of times to retry a failed authentication attempt. This is useful
+      for automated pipelines that may execute before IAM permissions are fully
+      propagated.
+    deprecationMessage: |-
+      This field is no longer used and will be removed in a future release.
+    required: false
+  backoff:
+    description: |-
+      Delay time before trying another authentication attempt. This is
+      implemented using a fibonacci backoff method (e.g. 1-1-2-3-5). The default
+      value is 250 milliseconds.
+    deprecationMessage: |-
+      This field is no longer used and will be removed in a future release.
+    required: false
+  backoff_limit:
+    description: |-
+      Limits the retry backoff to the specified value.
+    deprecationMessage: |-
+      This field is no longer used and will be removed in a future release.
+    required: false
+
   # id token params
   id_token_audience:
     description: |-
@@ -180,6 +204,6 @@ branding:
   color: 'blue'
 
 runs:
-  using: 'node24'
+  using: 'node20'
   main: 'dist/main/index.js'
   post: 'dist/post/index.js'

bin/runTests.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -eEuo pipefail
+
+#
+# As of Node 20, the --test parameter does not support globbing, and it does not
+# support variable Windows paths. We also cannot invoke the test runner
+# directly, because while it has an API, there's no way to force it to transpile
+# the Typescript into JavaScript before passing it to the runner.
+#
+# So we're left with this solution, which shells out to Node to list all files
+# that end in *.test.ts (excluding node_modules/), and then execs out to that
+# process. We have to exec so the stderr/stdout and exit code is appropriately
+# fed to the caller.
+#
+
+FILES="$(node -e "process.stdout.write(require('node:fs').readdirSync('./', { recursive: true }).filter((e) => {return e.endsWith('.test.ts') && !e.startsWith('node_modules');}).sort().join(' '));")"
+
+set -x
+
+# shellcheck disable=SC2086
+exec node --require ts-node/register --test-reporter spec --test ${FILES}

docs/EXAMPLES.md

@@ -20,7 +20,7 @@ jobs:
       id-token: 'write'
 
     - id: 'auth'
-      uses: 'google-github-actions/auth@v3'
+      uses: 'google-github-actions/auth@v2'
       with:
         project_id: 'my-project'
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@@ -45,7 +45,7 @@ jobs:
       contents: 'read'
       id-token: 'write'
 
-    - uses: 'google-github-actions/auth@v3'
+    - uses: 'google-github-actions/auth@v2'
       with:
         project_id: 'my-project'
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@@ -56,7 +56,7 @@ jobs:
     # the service account, specify the 'token_format' parameter and use the
     # 'accesss_token' output.
     #
-    # - uses: 'google-github-actions/auth@v3'
+    # - uses: 'google-github-actions/auth@v2'
     #   with:
     #     workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
     #     service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
@@ -79,7 +79,7 @@ jobs:
     steps:
     - uses: 'actions/checkout@v4'
 
-    - uses: 'google-github-actions/auth@v3'
+    - uses: 'google-github-actions/auth@v2'
       with:
         credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
 ```
@@ -100,7 +100,7 @@ jobs:
     - uses: 'actions/checkout@v4'
 
     - id: 'auth'
-      uses: 'google-github-actions/auth@v3'
+      uses: 'google-github-actions/auth@v2'
       with:
         project_id: 'my-project'
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@@ -136,7 +136,7 @@ jobs:
     - uses: 'actions/checkout@v4'
 
     - id: 'auth'
-      uses: 'google-github-actions/auth@v3'
+      uses: 'google-github-actions/auth@v2'
       with:
         token_format: 'access_token' # <--
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@@ -173,7 +173,7 @@ jobs:
     - uses: 'actions/checkout@v4'
 
     - id: 'auth'
-      uses: 'google-github-actions/auth@v3'
+      uses: 'google-github-actions/auth@v2'
       with:
         token_format: 'id_token' # <--
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
@@ -223,7 +223,7 @@ jobs:
     - uses: 'actions/checkout@v4'
 
     - id: 'auth'
-      uses: 'google-github-actions/auth@v3'
+      uses: 'google-github-actions/auth@v2'
       with:
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
         service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

docs/TROUBLESHOOTING.md

@@ -27,7 +27,7 @@
     ```yaml
     steps:
       - uses: 'actions/checkout@v4'
-      - uses: 'google-github-actions/auth@v3'
+      - uses: 'google-github-actions/auth@v2'
     ```
 
 1.  Ensure the value for `workload_identity_provider` is the full _Provider_
@@ -266,7 +266,7 @@ Alternatively, you can use the `token_format` parameter of this action to
 generate an ID token directly:
 
 ```yaml
-- uses: 'google-github-actions/auth@v3'
+- uses: 'google-github-actions/auth@v2'
   with:
     workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
     service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}

package-lock.json

@@ -1,17 +1,17 @@
 {
   "name": "@google-github-actions/auth",
-  "version": "3.0.0",
+  "version": "2.1.13",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@google-github-actions/auth",
-      "version": "3.0.0",
+      "version": "2.1.13",
       "license": "Apache-2.0",
       "dependencies": {
         "@actions/core": "^1.11.1",
         "@actions/http-client": "^2.2.3",
-        "@google-github-actions/actions-utils": "^1.0.1"
+        "@google-github-actions/actions-utils": "^0.8.10"
       },
       "devDependencies": {
         "@eslint/eslintrc": "^3.3.1",
@@ -28,8 +28,8 @@
         "typescript-eslint": "^8.41.0"
       },
       "engines": {
-        "node": ">= 24.x",
-        "npm": ">= 11.x"
+        "node": ">= 20.x",
+        "npm": ">= 10.x"
       }
     },
     "node_modules/@actions/core": {
@@ -218,9 +218,9 @@
       }
     },
     "node_modules/@google-github-actions/actions-utils": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@google-github-actions/actions-utils/-/actions-utils-1.0.1.tgz",
-      "integrity": "sha512-dEvNcy63a6pkcMsRhWbfjNePsv4kR61O56mQ9rVXvRgjAvRkZTBiM1G7QSnHulMEjhLIlTEGlBIKEKIxCoonkQ==",
+      "version": "0.8.10",
+      "resolved": "https://registry.npmjs.org/@google-github-actions/actions-utils/-/actions-utils-0.8.10.tgz",
+      "integrity": "sha512-NLmKwQgPj0cQyDjbtQIGUYBdPtFIywLbH10RPRuhF6tO7qlO19N76SsaDEiZ7iKlXA9Yfj8TS3lK6wfdJyE+hw==",
       "license": "Apache-2.0",
       "dependencies": {
         "yaml": "^2.8.1"
@@ -229,8 +229,8 @@
         "actions-gen-readme": "bin/actions-gen-readme.mjs"
       },
       "engines": {
-        "node": ">= 24.x",
-        "npm": ">= 11.x"
+        "node": ">= 20.x",
+        "npm": ">= 10.x"
       }
     },
     "node_modules/@humanfs/core": {

package.json

@@ -1,17 +1,17 @@
 {
   "name": "@google-github-actions/auth",
-  "version": "3.0.0",
+  "version": "2.1.13",
   "description": "Authenticate to Google Cloud using OIDC tokens or JSON service account keys.",
   "main": "dist/main/index.js",
   "scripts": {
     "build": "ncc build -m src/main.ts -o dist/main && ncc build -m src/post.ts -o dist/post",
     "lint": "eslint .",
     "format": "eslint . --fix",
-    "test": "node --require ts-node/register --test-reporter spec --test tests/**/*.test.ts"
+    "test": "bash ./bin/runTests.sh"
   },
   "engines": {
-    "node": ">= 24.x",
-    "npm": ">= 11.x"
+    "node": ">= 20.x",
+    "npm": ">= 10.x"
   },
   "repository": {
     "type": "git",
@@ -29,7 +29,7 @@
   "dependencies": {
     "@actions/core": "^1.11.1",
     "@actions/http-client": "^2.2.3",
-    "@google-github-actions/actions-utils": "^1.0.1"
+    "@google-github-actions/actions-utils": "^0.8.10"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.3.1",