macastelaz · github-actions · Apr 3, 2026
diff --git a/BUILD b/BUILD
@@ -4358,7 +4358,6 @@ grpc_cc_library(
         "grpc_core_credentials_header",
         "grpc_credentials_util",
         "grpc_security_base",
-        "//src/core:default_event_engine",
         "grpc_trace",
         "httpcli",
         "iomgr",
@@ -4368,6 +4367,7 @@ grpc_cc_library(
         "uri",
         "//src/core:arena_promise",
         "//src/core:closure",
+        "//src/core:default_event_engine",
         "//src/core:error",
         "//src/core:gpr_manual_constructor",
         "//src/core:grpc_check",

diff --git a/src/core/BUILD b/src/core/BUILD
@@ -5077,9 +5077,9 @@ grpc_cc_library(
         "json",
         "json_reader",
         "load_file",
+        "map",
         "metadata_batch",
         "ref_counted",
-        "map",
         "regional_access_boundary_fetcher",
         "slice",
         "slice_refcount",
@@ -5096,12 +5096,12 @@ grpc_cc_library(
         "//:grpc_trace",
         "//:httpcli",
         "//:iomgr",
-        "//src/core:default_event_engine",
         "//:orphanable",
         "//:promise",
         "//:ref_counted_ptr",
         "//:transport_auth_context",
         "//:uri",
+        "//src/core:default_event_engine",
     ],
 )
 
@@ -11373,7 +11373,6 @@ grpc_cc_library(
     deps = [
         "closure",
         "dual_ref_counted",
-        "//src/core:default_event_engine",
         "env",
         "error",
         "grpc_check",
@@ -11394,6 +11393,7 @@ grpc_cc_library(
         "//:ref_counted_ptr",
         "//:transport_auth_context",
         "//:uri",
+        "//src/core:default_event_engine",
     ],
 )
 

diff --git a/src/core/credentials/call/external/external_account_credentials.cc b/src/core/credentials/call/external/external_account_credentials.cc
@@ -35,6 +35,7 @@
 #include "src/core/credentials/call/json_util.h"
 #include "src/core/credentials/call/regional_access_boundary_fetcher.h"
 #include "src/core/credentials/transport/transport_credentials.h"
+#include "src/core/lib/promise/map.h"
 #include "src/core/lib/transport/status_conversion.h"
 #include "src/core/util/grpc_check.h"
 #include "src/core/util/http_client/httpcli_ssl_credentials.h"
@@ -46,7 +47,6 @@
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
-#include "src/core/lib/promise/map.h"
 #include "absl/strings/escaping.h"
 #include "absl/strings/match.h"
 #include "absl/strings/numbers.h"
@@ -79,10 +79,9 @@ namespace {
 class TokenWithRegionalAccessBoundary final
     : public TokenFetcherCredentials::Token {
  public:
-  TokenWithRegionalAccessBoundary(
-      grpc_core::Slice token, grpc_core::Timestamp expiration,
-      grpc_core::RefCountedPtr<RegionalAccessBoundaryFetcher>
-          regional_access_boundary_fetcher)
+  TokenWithRegionalAccessBoundary(Slice token, Timestamp expiration,
+                                  RefCountedPtr<RegionalAccessBoundaryFetcher>
+                                      regional_access_boundary_fetcher)
       : Token(std::move(token), expiration),
         regional_access_boundary_fetcher_(
             std::move(regional_access_boundary_fetcher)) {
@@ -96,7 +95,7 @@ class TokenWithRegionalAccessBoundary final
   }
 
  private:
-  grpc_core::RefCountedPtr<RegionalAccessBoundaryFetcher>
+  RefCountedPtr<RegionalAccessBoundaryFetcher>
       regional_access_boundary_fetcher_;
 };
 
@@ -449,7 +448,7 @@ void ExternalAccountCredentials::ExternalFetchRequest::FinishTokenFetch(
         result = MakeRefCounted<TokenFetcherCredentials::Token>(
             std::move(*token_value), Timestamp::Now() + token_lifetime);
       }
-     }
+    }
   }
   creds_->event_engine().Run([on_done = std::exchange(on_done_, nullptr),
                               result = std::move(result)]() mutable {
@@ -486,9 +485,11 @@ struct WorkloadIdentityPoolFields {
 // Expression to match:
 // //iam.googleapis.com/projects/<project>/locations/global/workloadIdentityPools/<pool-id>/providers/.+
 //
-// Returns the project and pool ID within the WorkloadIdentityPoolFields struct if the audience matches
-// the Workload Identity Pool format, otherwise returns std::nullopt.
-std::optional<WorkloadIdentityPoolFields> MatchWorkloadIdentityPoolAudience(absl::string_view audience) {
+// Returns the project and pool ID within the WorkloadIdentityPoolFields struct
+// if the audience matches the Workload Identity Pool format, otherwise returns
+// std::nullopt.
+std::optional<WorkloadIdentityPoolFields> MatchWorkloadIdentityPoolAudience(
+    absl::string_view audience) {
   // Match "//iam.googleapis.com/projects/"
   if (!absl::ConsumePrefix(&audience, "//iam.googleapis.com/projects/")) {
     return std::nullopt;
@@ -498,8 +499,8 @@ std::optional<WorkloadIdentityPoolFields> MatchWorkloadIdentityPoolAudience(absl
   if (location_pos == absl::string_view::npos) return std::nullopt;
   auto project = audience.substr(0, location_pos);
   if (project.empty()) return std::nullopt;
-  audience.remove_prefix(location_pos +
-                         sizeof("/locations/global/workloadIdentityPools/") - 1);
+  audience.remove_prefix(
+      location_pos + sizeof("/locations/global/workloadIdentityPools/") - 1);
   // Match "<pool-id>/providers/"
   auto provider_pos = audience.find("/providers/");
   if (provider_pos == absl::string_view::npos) return std::nullopt;
@@ -602,8 +603,7 @@ ExternalAccountCredentials::Create(
   }
   it = json.object().find("workforce_pool_user_project");
   if (it != json.object().end()) {
-    if (auto workforce_pool_id =
-            MatchWorkforcePoolAudience(options.audience);
+    if (auto workforce_pool_id = MatchWorkforcePoolAudience(options.audience);
         !workforce_pool_id.empty()) {
       options.workforce_pool_id = std::string(workforce_pool_id);
       options.workforce_pool_user_project = it->second.string();
@@ -709,9 +709,8 @@ ExternalAccountCredentials::ExternalAccountCredentials(
     std::shared_ptr<grpc_event_engine::experimental::EventEngine> event_engine)
     : TokenFetcherCredentials(event_engine),
       options_(std::move(options)),
-      regional_access_boundary_fetcher_(
-          RegionalAccessBoundaryFetcher::Create(
-              BuildRegionalAccessBoundaryUrl(options_), std::move(event_engine))) {
+      regional_access_boundary_fetcher_(RegionalAccessBoundaryFetcher::Create(
+          BuildRegionalAccessBoundaryUrl(options_), std::move(event_engine))) {
   if (scopes.empty()) {
     scopes.push_back(GOOGLE_CLOUD_PLATFORM_DEFAULT_SCOPE);
   }

diff --git a/src/core/credentials/call/external/external_account_credentials.h b/src/core/credentials/call/external/external_account_credentials.h
@@ -203,7 +203,7 @@ class ExternalAccountCredentials : public TokenFetcherCredentials {
 
   Options options_;
   std::vector<std::string> scopes_;
-  grpc_core::RefCountedPtr<RegionalAccessBoundaryFetcher>
+  RefCountedPtr<RegionalAccessBoundaryFetcher>
       regional_access_boundary_fetcher_;
 };
 

diff --git a/src/core/credentials/call/jwt/jwt_credentials.cc b/src/core/credentials/call/jwt/jwt_credentials.cc
@@ -16,9 +16,9 @@
 //
 
 #include "src/core/credentials/call/jwt/jwt_credentials.h"
-#include <grpc/event_engine/event_engine.h>
 
 #include <grpc/credentials.h>
+#include <grpc/event_engine/event_engine.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/json.h>
 #include <grpc/support/port_platform.h>
@@ -103,8 +103,8 @@ grpc_service_account_jwt_access_credentials::GetRequestMetadata(
   }
 
   if (regional_access_boundary_fetcher_ != nullptr) {
-    regional_access_boundary_fetcher_->Fetch(
-        jwt_value->as_string_view(), *initial_metadata);
+    regional_access_boundary_fetcher_->Fetch(jwt_value->as_string_view(),
+                                             *initial_metadata);
   }
   initial_metadata->Append(
       GRPC_AUTHORIZATION_METADATA_KEY, std::move(*jwt_value),
@@ -115,9 +115,12 @@ grpc_service_account_jwt_access_credentials::GetRequestMetadata(
 grpc_service_account_jwt_access_credentials::
     grpc_service_account_jwt_access_credentials(grpc_auth_json_key key,
                                                 gpr_timespec token_lifetime)
-    : key_(key), regional_access_boundary_fetcher_(grpc_core::RegionalAccessBoundaryFetcher::Create(
-        absl::StrFormat("https://iamcredentials.googleapis.com/v1/projects/-/"
-                     "serviceAccounts/%s/allowedLocations", key_.client_email))) {
+    : key_(key),
+      regional_access_boundary_fetcher_(
+          grpc_core::RegionalAccessBoundaryFetcher::Create(absl::StrFormat(
+              "https://iamcredentials.googleapis.com/v1/projects/-/"
+              "serviceAccounts/%s/allowedLocations",
+              key_.client_email))) {
   gpr_timespec max_token_lifetime = grpc_max_auth_token_lifetime();
   if (gpr_time_cmp(token_lifetime, max_token_lifetime) > 0) {
     VLOG(2) << "Cropping token lifetime to maximum allowed value ("

diff --git a/src/core/credentials/call/jwt/jwt_credentials.h b/src/core/credentials/call/jwt/jwt_credentials.h
@@ -89,7 +89,8 @@ class grpc_service_account_jwt_access_credentials
 
   grpc_auth_json_key key_;
   gpr_timespec jwt_lifetime_;
-  grpc_core::RefCountedPtr<grpc_core::RegionalAccessBoundaryFetcher> regional_access_boundary_fetcher_;
+  grpc_core::RefCountedPtr<grpc_core::RegionalAccessBoundaryFetcher>
+      regional_access_boundary_fetcher_;
 };
 
 // Private constructor for jwt credentials from an already parsed json key.

diff --git a/src/core/credentials/call/jwt_token_file/jwt_token_file_call_credentials.cc b/src/core/credentials/call/jwt_token_file/jwt_token_file_call_credentials.cc
@@ -30,7 +30,7 @@ class JwtTokenFileCallCredentials::FileReader final
              absl::AnyInvocable<void(
                  absl::StatusOr<RefCountedPtr<TokenFetcherCredentials::Token>>)>
                  on_done)
-        : creds_(creds), on_done_(std::move(on_done)) {
+      : creds_(creds), on_done_(std::move(on_done)) {
     creds->event_engine().Run([self = RefAsSubclass<FileReader>()]() {
       ExecCtx exec_ctx;
       self->ReadFile();

diff --git a/src/core/credentials/call/oauth2/oauth2_credentials.cc b/src/core/credentials/call/oauth2/oauth2_credentials.cc
@@ -19,6 +19,7 @@
 #include "src/core/credentials/call/oauth2/oauth2_credentials.h"
 
 #include <grpc/credentials.h>
+#include <grpc/event_engine/event_engine.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/slice.h>
@@ -53,7 +54,6 @@
 #include "src/core/util/ref_counted_ptr.h"
 #include "src/core/util/status_helper.h"
 #include "src/core/util/uri.h"
-#include <grpc/event_engine/event_engine.h>
 #include "absl/log/log.h"
 #include "absl/status/status.h"
 #include "absl/strings/numbers.h"
@@ -259,12 +259,14 @@ namespace {
 
 class TokenWithEmail final : public grpc_core::TokenFetcherCredentials::Token {
  public:
-  TokenWithEmail(grpc_core::Slice token, grpc_core::Timestamp expiration,
-                 grpc_core::RefCountedPtr<grpc_core::EmailFetcher> email_fetcher)
+  TokenWithEmail(
+      grpc_core::Slice token, grpc_core::Timestamp expiration,
+      grpc_core::RefCountedPtr<grpc_core::EmailFetcher> email_fetcher)
       : Token(std::move(token), expiration),
         email_fetcher_(std::move(email_fetcher)) {}
 
-  void AddTokenToClientInitialMetadata(grpc_core::ClientMetadata& metadata) override {
+  void AddTokenToClientInitialMetadata(
+      grpc_core::ClientMetadata& metadata) override {
     Token::AddTokenToClientInitialMetadata(metadata);
     email_fetcher_->Fetch(token().as_string_view(), metadata);
   }
@@ -293,8 +295,8 @@ class grpc_compute_engine_token_fetcher_credentials
   }
 
   grpc_core::OrphanablePtr<grpc_core::HttpRequest> StartHttpRequest(
-        grpc_polling_entity* pollent, grpc_core::Timestamp deadline,
-        grpc_http_response* response, grpc_closure* on_complete) override {
+      grpc_polling_entity* pollent, grpc_core::Timestamp deadline,
+      grpc_http_response* response, grpc_closure* on_complete) override {
     memset(response, 0, sizeof(*response));
     grpc_http_header header = {const_cast<char*>("Metadata-Flavor"),
                                const_cast<char*>("Google")};
@@ -311,8 +313,8 @@ class grpc_compute_engine_token_fetcher_credentials
                                       query_params_, "" /* fragment */);
     GRPC_CHECK(uri.ok());  // params are hardcoded
     auto http_request = grpc_core::HttpRequest::Get(
-        std::move(*uri), /*args=*/nullptr, pollent, &request,
-        deadline, on_complete, response,
+        std::move(*uri), /*args=*/nullptr, pollent, &request, deadline,
+        on_complete, response,
         grpc_core::RefCountedPtr<grpc_channel_credentials>(
             grpc_insecure_credentials_create()));
     http_request->Start();
@@ -321,8 +323,8 @@ class grpc_compute_engine_token_fetcher_credentials
 
   grpc_core::OrphanablePtr<FetchRequest> FetchToken(
       grpc_core::Timestamp deadline,
-      absl::AnyInvocable<
-          void(absl::StatusOr<grpc_core::RefCountedPtr<TokenFetcherCredentials::Token>>)>
+      absl::AnyInvocable<void(absl::StatusOr<grpc_core::RefCountedPtr<
+                                  TokenFetcherCredentials::Token>>)>
           on_done) override {
     email_fetcher_->StartEmailFetch();
     return grpc_core::MakeOrphanable<HttpFetchRequest>(