Address review: validate audience, parse RFC3339Nano timestamps

- Add up-front validation for empty params.Audience in GetGCPAccessToken
  to fail fast with a clear error instead of a cryptic STS rejection
- Use time.RFC3339Nano instead of time.RFC3339 for parsing GCP IAM
  expireTime, since Google APIs may return fractional seconds
- Add tests for both cases

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kbukum1

internal/oidc/actions_oidc.go

@@ -676,13 +676,16 @@ type gcpIAMGenerateAccessTokenRequest struct {
 
 type gcpIAMGenerateAccessTokenResponse struct {
 	AccessToken string `json:"accessToken"`
-	ExpireTime  string `json:"expireTime"` // RFC3339
+	ExpireTime  string `json:"expireTime"` // RFC3339 (may include fractional seconds)
 }
 
 func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToken string) (*OIDCAccessToken, error) {
 	if params.WorkloadIdentityProvider == "" {
 		return nil, fmt.Errorf("workload-identity-provider is required")
 	}
+	if params.Audience == "" {
+		return nil, fmt.Errorf("audience is required")
+	}
 	if githubToken == "" {
 		return nil, fmt.Errorf("GitHub token is required")
 	}
@@ -791,7 +794,7 @@ func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToke
 		return nil, fmt.Errorf("GCP IAM response does not contain an access token")
 	}
 
-	expireTime, err := time.Parse(time.RFC3339, iamTokenResp.ExpireTime)
+	expireTime, err := time.Parse(time.RFC3339Nano, iamTokenResp.ExpireTime)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse GCP IAM expireTime %q: %w", iamTokenResp.ExpireTime, err)
 	}

internal/oidc/actions_oidc_test.go

@@ -1097,6 +1097,31 @@ func TestGetGCPAccessToken(t *testing.T) {
 			expectError:   false,
 			expectedToken: "impersonated-access-token",
 		},
+		{
+			name: "successful impersonation with fractional-second expireTime",
+			params: GCPOIDCParameters{
+				WorkloadIdentityProvider: "projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+				ServiceAccount:           "my-sa@my-project.iam.gserviceaccount.com",
+				Audience:                 "//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+			},
+			githubToken: "test-github-jwt-token",
+			stsHandler: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				json.NewEncoder(w).Encode(gcpSTSTokenResponse{
+					AccessToken: "federated-access-token",
+					ExpiresIn:   3600,
+				})
+			},
+			iamHandler: func(w http.ResponseWriter, r *http.Request) {
+				w.Header().Set("Content-Type", "application/json")
+				json.NewEncoder(w).Encode(gcpIAMGenerateAccessTokenResponse{
+					AccessToken: "impersonated-nano-token",
+					ExpireTime:  "2099-12-31T23:59:59.999999999Z",
+				})
+			},
+			expectError:   false,
+			expectedToken: "impersonated-nano-token",
+		},
 		{
 			name: "missing workload-identity-provider",
 			params: GCPOIDCParameters{
@@ -1105,6 +1130,15 @@ func TestGetGCPAccessToken(t *testing.T) {
 			githubToken: "test-github-jwt-token",
 			expectError: true,
 		},
+		{
+			name: "missing audience",
+			params: GCPOIDCParameters{
+				WorkloadIdentityProvider: "projects/123/locations/global/workloadIdentityPools/pool/providers/prov",
+				Audience:                 "",
+			},
+			githubToken: "test-github-jwt-token",
+			expectError: true,
+		},
 		{
 			name: "missing GitHub token",
 			params: GCPOIDCParameters{