Add GCP OIDC token exchange for Google Artifact Registry

Add Google Artifact Registry as the fifth OIDC provider, alongside
Azure DevOps, AWS CodeArtifact, JFrog, and Cloudsmith.

Token exchange flow:
- GitHub Actions OIDC JWT → Google STS token exchange
- Optional IAM Credentials impersonation (when service-account is set)
- Direct Workload Identity Federation when no service-account

Auth injection:
- Bearer token for most registry types
- Basic oauth2accesstoken:<token> for *-docker.pkg.dev hosts

New credential keys: workload-identity-provider (required),
service-account (optional), audience (optional, defaults to
//iam.googleapis.com/<workload-identity-provider>).

Related: github/dependabot-updates#13114
Related: github/dependabot-updates#13113

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: kbukum1