Validate STS expiry on direct-WIF path and tighten IAM check to <=

- Direct-WIF (no service account) now rejects STS tokens with ExpiresIn
  <= 5 minutes, preventing cache-immediately-expired loops
- IAM path uses <= instead of < for the 5-minute threshold, fixing the
  edge case where remaining == 5m caches as immediately expired
- Add tests for zero expiry and exactly-5-minutes boundary

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kbukum1

internal/oidc/actions_oidc.go

@@ -743,9 +743,13 @@ func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToke
 
 	// If no service account, return the federated token directly (direct WIF)
 	if params.ServiceAccount == "" {
+		stsExpiry := time.Duration(stsTokenResp.ExpiresIn) * time.Second
+		if stsExpiry <= 5*time.Minute {
+			return nil, fmt.Errorf("GCP STS token expires too soon (%v remaining)", stsExpiry)
+		}
 		return &OIDCAccessToken{
 			Token:     stsTokenResp.AccessToken,
-			ExpiresIn: time.Duration(stsTokenResp.ExpiresIn) * time.Second,
+			ExpiresIn: stsExpiry,
 		}, nil
 	}
 
@@ -800,7 +804,7 @@ func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToke
 	}
 
 	remaining := time.Until(expireTime)
-	if remaining < 5*time.Minute {
+	if remaining <= 5*time.Minute {
 		return nil, fmt.Errorf("GCP IAM token expires too soon (%v remaining, service-account: %s)", remaining, params.ServiceAccount)
 	}
 

internal/oidc/actions_oidc_test.go

@@ -1190,6 +1190,38 @@ func TestGetGCPAccessToken(t *testing.T) {
 			},
 			expectError: true,
 		},
+		{
+			name: "STS token expires too soon (direct WIF)",
+			params: GCPOIDCParameters{
+				WorkloadIdentityProvider: "projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+				Audience:                 "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+			},
+			githubToken: "test-github-jwt-token",
+			stsHandler: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				json.NewEncoder(w).Encode(gcpSTSTokenResponse{
+					AccessToken: "federated-access-token",
+					ExpiresIn:   0,
+				})
+			},
+			expectError: true,
+		},
+		{
+			name: "STS token at exactly 5 minutes (direct WIF)",
+			params: GCPOIDCParameters{
+				WorkloadIdentityProvider: "projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+				Audience:                 "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+			},
+			githubToken: "test-github-jwt-token",
+			stsHandler: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				json.NewEncoder(w).Encode(gcpSTSTokenResponse{
+					AccessToken: "federated-access-token",
+					ExpiresIn:   300,
+				})
+			},
+			expectError: true,
+		},
 		{
 			name: "IAM returns 403",
 			params: GCPOIDCParameters{