@el-j/google-sheet-translations 2.2.0-beta.4 → 2.2.0-beta.5

package/README.md

@@ -378,6 +378,23 @@ jobs:
 | `spreadsheet-title` | ❌ | `google-sheet-translations` | Title for the auto-created spreadsheet |
 | `source-locale` | ❌ | `en` | Source locale used as the base for auto-translate formulas |
 | `target-locales` | ❌ | `de,fr,es,it,pt,ja,zh` | Comma-separated target locales added to the auto-created spreadsheet |
+| `drive-folder-id` | ❌ | `''` | Drive folder ID used to auto-discover spreadsheets, docs, and images |
+| `scan-for-spreadsheets` | ❌ | `true` | When `drive-folder-id` is set, scan the folder recursively for spreadsheets |
+| `spreadsheet-ids` | ❌ | `''` | Optional extra spreadsheet IDs to merge with any IDs discovered in Drive |
+| `sync-images` | ❌ | `false` | Download Drive images alongside translation sync |
+| `image-output-path` | ❌ | `./public/remote-images` | Output directory for downloaded Drive images when `sync-images` is enabled |
+
+### Drive Folder Mode
+
+When `drive-folder-id` is set, the action switches from single-spreadsheet mode to `manageDriveTranslations()`. That enables recursive spreadsheet discovery, optional image sync, and optional explicit `spreadsheet-ids` on the same run.
+
+Operational notes:
+
+- If the Drive folder is empty and `auto-create` remains enabled, the package creates a spreadsheet and then tries to move it into the target folder.
+- `spreadsheetNameFilter` only applies to discovered sheets in the programmatic API. Explicit `spreadsheet-ids` are never filtered out.
+- `sync-images` supports incremental freshness checks and optional `cleanSync` deletion in the programmatic API. See the Drive Folder guide for those semantics before enabling destructive cleanup.
+
+See the full Drive Folder guide in `website/guide/drive-folder.md` for the complete API surface, image sync semantics, and Google Doc ingestion details.
 
 ### Outputs
 

package/dist/esm/index.js

@@ -2070,6 +2070,9 @@ function entriesToSeedKeys(entries) {
   return keys;
 }
 function entriesToTranslationData(entries, locale) {
+  if (locale === "__proto__" || locale === "constructor" || locale === "prototype") {
+    return {};
+  }
   const data = {};
   data[locale] = {};
   const counts = /* @__PURE__ */ new Map();
@@ -2398,11 +2401,226 @@ async function manageDriveTranslations(options) {
   return { translations, spreadsheetIds: filteredIds, imageSync, manifest, docIngestResults };
 }
 
+// src/setup/wifSetup.ts
+import { GoogleAuth as GoogleAuth4 } from "google-auth-library";
+var GcpApiError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+    this.name = "GcpApiError";
+  }
+};
+async function getAccessToken4(keyFilePath) {
+  const auth = new GoogleAuth4({
+    ...keyFilePath ? { keyFilename: keyFilePath } : {},
+    scopes: ["https://www.googleapis.com/auth/cloud-platform"]
+  });
+  const client = await auth.getClient();
+  const tokenResponse = await client.getAccessToken();
+  if (!tokenResponse.token) {
+    throw new Error(
+      "Failed to obtain a Google Cloud access token. Ensure you are authenticated via Application Default Credentials (run: gcloud auth application-default login) or provide --key-file pointing to a service account JSON key."
+    );
+  }
+  return tokenResponse.token;
+}
+async function gcpFetch(url, token, method = "GET", body) {
+  const response = await fetch(url, {
+    method,
+    headers: {
+      Authorization: `Bearer ${token}`,
+      "Content-Type": "application/json"
+    },
+    body: body !== void 0 ? JSON.stringify(body) : void 0
+  });
+  const data = await response.json();
+  if (!response.ok) {
+    const errData = data;
+    const message = errData.error?.message ?? `HTTP ${response.status}`;
+    throw new GcpApiError(message, response.status);
+  }
+  return data;
+}
+async function pollOperation(operationName, token, maxWaitMs = 6e4) {
+  const opUrl = operationName.startsWith("http") ? operationName : `https://iam.googleapis.com/v1/${operationName}`;
+  const deadline = Date.now() + maxWaitMs;
+  const maxWaitSecs = Math.round(maxWaitMs / 1e3);
+  while (Date.now() < deadline) {
+    const op = await gcpFetch(opUrl, token);
+    if (op.done) {
+      if (op.error) {
+        throw new Error(`Operation failed: ${op.error.message}`);
+      }
+      return;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 2e3));
+  }
+  if (Date.now() >= deadline) {
+    throw new Error(
+      `Operation timed out after ${maxWaitSecs} s. The resources may still be provisioning in the background \u2013 re-running the command is safe (existing resources are reused).`
+    );
+  }
+}
+async function getProjectNumber(projectId, token) {
+  const data = await gcpFetch(
+    `https://cloudresourcemanager.googleapis.com/v1/projects/${encodeURIComponent(projectId)}`,
+    token
+  );
+  return data.projectNumber;
+}
+async function createOrGetWifPool(projectId, poolId, token) {
+  try {
+    const op = await gcpFetch(
+      `https://iam.googleapis.com/v1/projects/${encodeURIComponent(projectId)}/locations/global/workloadIdentityPools?workloadIdentityPoolId=${encodeURIComponent(poolId)}`,
+      token,
+      "POST",
+      {
+        displayName: "GitHub Actions Pool",
+        description: "Pool for GitHub Actions OIDC authentication",
+        disabled: false
+      }
+    );
+    if (!op.done) {
+      await pollOperation(op.name, token);
+    } else if (op.error) {
+      throw new Error(`Operation failed: ${op.error.message}`);
+    }
+  } catch (err) {
+    if (err instanceof GcpApiError && err.status === 409) {
+      return;
+    }
+    throw err;
+  }
+}
+async function createOrGetWifProvider(projectId, poolId, providerId, githubRepo, token) {
+  try {
+    const op = await gcpFetch(
+      `https://iam.googleapis.com/v1/projects/${encodeURIComponent(projectId)}/locations/global/workloadIdentityPools/${encodeURIComponent(poolId)}/providers?workloadIdentityPoolProviderId=${encodeURIComponent(providerId)}`,
+      token,
+      "POST",
+      {
+        displayName: "GitHub OIDC Provider",
+        disabled: false,
+        attributeMapping: {
+          "google.subject": "assertion.sub",
+          "attribute.actor": "assertion.actor",
+          "attribute.repository": "assertion.repository"
+        },
+        // Scope the provider to this exact repository for security
+        attributeCondition: `assertion.repository=='${githubRepo}'`,
+        oidc: {
+          issuerUri: "https://token.actions.githubusercontent.com"
+        }
+      }
+    );
+    if (!op.done) {
+      await pollOperation(op.name, token);
+    } else if (op.error) {
+      throw new Error(`Operation failed: ${op.error.message}`);
+    }
+  } catch (err) {
+    if (err instanceof GcpApiError && err.status === 409) {
+      return;
+    }
+    throw err;
+  }
+}
+async function bindServiceAccount(projectId, serviceAccountEmail, projectNumber, poolId, githubRepo, token) {
+  const saResource = `projects/${encodeURIComponent(projectId)}/serviceAccounts/${encodeURIComponent(serviceAccountEmail)}`;
+  const principal = `principalSet://iam.googleapis.com/projects/${projectNumber}/locations/global/workloadIdentityPools/${poolId}/attribute.repository/${githubRepo}`;
+  const policy = await gcpFetch(
+    `https://iam.googleapis.com/v1/${saResource}:getIamPolicy`,
+    token,
+    "POST",
+    {}
+  );
+  const bindings = policy.bindings ?? [];
+  const role = "roles/iam.workloadIdentityUser";
+  const existing = bindings.find((b) => b.role === role);
+  if (existing) {
+    if (existing.members.includes(principal)) {
+      return;
+    }
+    existing.members.push(principal);
+  } else {
+    bindings.push({ role, members: [principal] });
+  }
+  await gcpFetch(
+    `https://iam.googleapis.com/v1/${saResource}:setIamPolicy`,
+    token,
+    "POST",
+    { policy: { ...policy, bindings } }
+  );
+}
+async function setupWIF(options) {
+  const poolId = options.poolId ?? "github-actions";
+  const providerId = options.providerId ?? "github-oidc";
+  const log = options.onProgress ?? (() => void 0);
+  if (!options.githubRepo.includes("/")) {
+    throw new Error(
+      `githubRepo must be in "owner/repo" format, got: "${options.githubRepo}"`
+    );
+  }
+  log("Authenticating with Google Cloud...");
+  const token = await getAccessToken4(options.keyFilePath);
+  log("Fetching project number...");
+  const projectNumber = await getProjectNumber(options.projectId, token);
+  log(`Creating Workload Identity Pool "${poolId}"...`);
+  await createOrGetWifPool(options.projectId, poolId, token);
+  log(`Creating OIDC Provider "${providerId}"...`);
+  await createOrGetWifProvider(
+    options.projectId,
+    poolId,
+    providerId,
+    options.githubRepo,
+    token
+  );
+  log("Binding service account permissions...");
+  await bindServiceAccount(
+    options.projectId,
+    options.serviceAccountEmail,
+    projectNumber,
+    poolId,
+    options.githubRepo,
+    token
+  );
+  const wifProvider = `projects/${projectNumber}/locations/global/workloadIdentityPools/${poolId}/providers/${providerId}`;
+  return { wifProvider, projectNumber, poolId, providerId };
+}
+async function grantDrivePermissions(options) {
+  const token = await getAccessToken4(options.keyFilePath);
+  const policy = await gcpFetch(
+    `https://cloudresourcemanager.googleapis.com/v1/projects/${encodeURIComponent(options.projectId)}:getIamPolicy`,
+    token,
+    "POST",
+    {}
+  );
+  const bindings = policy.bindings ?? [];
+  const role = "roles/drive.file";
+  const member = `serviceAccount:${options.serviceAccountEmail}`;
+  const existing = bindings.find((b) => b.role === role);
+  if (existing) {
+    if (existing.members.includes(member)) {
+      return;
+    }
+    existing.members.push(member);
+  } else {
+    bindings.push({ role, members: [member] });
+  }
+  await gcpFetch(
+    `https://cloudresourcemanager.googleapis.com/v1/projects/${encodeURIComponent(options.projectId)}:setIamPolicy`,
+    token,
+    "POST",
+    { policy: { ...policy, bindings } }
+  );
+}
+
 // src/index.ts
 var index_default = getSpreadSheetData;
 export {
   DEFAULT_IMAGE_EXTENSIONS,
   DEFAULT_WAIT_SECONDS,
+  GcpApiError,
   buildGoogleAuth,
   buildManifest,
   convertFromDataJsonFormat,
@@ -2424,6 +2642,7 @@ export {
   getOriginalHeaderForLocale,
   getSpreadSheetData,
   getTranslationSummary,
+  grantDrivePermissions,
   handleBidirectionalSync,
   inferLocaleFromDocName,
   ingestDoc,
@@ -2441,6 +2660,7 @@ export {
   resolveLocaleWithFallback,
   scanDriveFolderForDocs,
   scanDriveFolderForSpreadsheets,
+  setupWIF,
   slugifyKey,
   syncDriveImages,
   updateSpreadsheetWithLocalChanges,

package/dist/index.d.ts

@@ -44,6 +44,8 @@ export { parseDocContent, slugifyKey } from './utils/docParser';
 export type { ParsedDocEntry, DocKeyStrategy, ParseDocOptions } from './utils/docParser';
 export { ingestDoc, exportDoc, entriesToSeedKeys, entriesToTranslationData } from './utils/docIngester';
 export type { DocIngesterOptions, DocIngestResult, DocUpdateMode } from './utils/docIngester';
+export { setupWIF, grantDrivePermissions, GcpApiError } from './setup/wifSetup';
+export type { WifSetupOptions, WifSetupResult, GrantDrivePermissionsOptions } from './setup/wifSetup';
 import { getSpreadSheetData } from './getSpreadSheetData';
 export default getSpreadSheetData;
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGhF,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,uBAAuB,EAAE,MAAM,+CAA+C,CAAC;AACxF,OAAO,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC5F,OAAO,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAC1E,OAAO,EAAE,iCAAiC,EAAE,MAAM,4BAA4B,CAAC;AAG/E,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAG1D,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAGzE,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,EACnB,0BAA0B,EAC1B,4BAA4B,EAC5B,yBAAyB,GAC1B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,YAAY,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGpE,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACtG,YAAY,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAGnF,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAGpG,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,QAAQ,EACR,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,YAAY,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,gCAAgC,CAAC;AAG9E,OAAO,EAAE,8BAA8B,EAAE,MAAM,4BAA4B,CAAC;AAC5E,YAAY,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AAG/F,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC7E,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AAC1G,YAAY,EACV,oBAAoB,EACpB,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,YAAY,EAAE,yBAAyB,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAGxG,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACvF,YAAY,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAGxI,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACzF,YAAY,EAAE,YAAY,EAAE,6BAA6B,EAAE,MAAM,yBAAyB,CAAC;AAG3F,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAChE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGzF,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AACxG,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAG9F,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,eAAe,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGhF,YAAY,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGvE,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,uBAAuB,EAAE,MAAM,+CAA+C,CAAC;AACxF,OAAO,EAAE,yBAAyB,EAAE,MAAM,iDAAiD,CAAC;AAC5F,OAAO,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAC1E,OAAO,EAAE,iCAAiC,EAAE,MAAM,4BAA4B,CAAC;AAG/E,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAG5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAG1D,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAGzE,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,EACnB,0BAA0B,EAC1B,4BAA4B,EAC5B,yBAAyB,GAC1B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,YAAY,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAGpE,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACtG,YAAY,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAGnF,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAGpG,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,QAAQ,EACR,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,YAAY,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,gCAAgC,CAAC;AAG9E,OAAO,EAAE,8BAA8B,EAAE,MAAM,4BAA4B,CAAC;AAC5E,YAAY,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AAG/F,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC7E,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AAC1G,YAAY,EACV,oBAAoB,EACpB,+BAA+B,EAC/B,8BAA8B,GAC/B,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,YAAY,EAAE,yBAAyB,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAGxG,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACvF,YAAY,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAGxI,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AACzF,YAAY,EAAE,YAAY,EAAE,6BAA6B,EAAE,MAAM,yBAAyB,CAAC;AAG3F,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAChE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGzF,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AACxG,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAG9F,OAAO,EAAE,QAAQ,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAChF,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,4BAA4B,EAAE,MAAM,kBAAkB,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,eAAe,kBAAkB,CAAC"}

package/dist/index.js

@@ -32,6 +32,7 @@ var index_exports = {};
 __export(index_exports, {
   DEFAULT_IMAGE_EXTENSIONS: () => DEFAULT_IMAGE_EXTENSIONS,
   DEFAULT_WAIT_SECONDS: () => DEFAULT_WAIT_SECONDS,
+  GcpApiError: () => GcpApiError,
   buildGoogleAuth: () => buildGoogleAuth,
   buildManifest: () => buildManifest,
   convertFromDataJsonFormat: () => convertFromDataJsonFormat,
@@ -53,6 +54,7 @@ __export(index_exports, {
   getOriginalHeaderForLocale: () => getOriginalHeaderForLocale,
   getSpreadSheetData: () => getSpreadSheetData,
   getTranslationSummary: () => getTranslationSummary,
+  grantDrivePermissions: () => grantDrivePermissions,
   handleBidirectionalSync: () => handleBidirectionalSync,
   inferLocaleFromDocName: () => inferLocaleFromDocName,
   ingestDoc: () => ingestDoc,
@@ -70,6 +72,7 @@ __export(index_exports, {
   resolveLocaleWithFallback: () => resolveLocaleWithFallback,
   scanDriveFolderForDocs: () => scanDriveFolderForDocs,
   scanDriveFolderForSpreadsheets: () => scanDriveFolderForSpreadsheets,
+  setupWIF: () => setupWIF,
   slugifyKey: () => slugifyKey,
   syncDriveImages: () => syncDriveImages,
   updateSpreadsheetWithLocalChanges: () => updateSpreadsheetWithLocalChanges,
@@ -2158,6 +2161,9 @@ function entriesToSeedKeys(entries) {
   return keys;
 }
 function entriesToTranslationData(entries, locale) {
+  if (locale === "__proto__" || locale === "constructor" || locale === "prototype") {
+    return {};
+  }
   const data = {};
   data[locale] = {};
   const counts = /* @__PURE__ */ new Map();
@@ -2486,12 +2492,227 @@ async function manageDriveTranslations(options) {
   return { translations, spreadsheetIds: filteredIds, imageSync, manifest, docIngestResults };
 }
 
+// src/setup/wifSetup.ts
+var import_google_auth_library4 = require("google-auth-library");
+var GcpApiError = class extends Error {
+  constructor(message, status) {
+    super(message);
+    this.status = status;
+    this.name = "GcpApiError";
+  }
+};
+async function getAccessToken4(keyFilePath) {
+  const auth = new import_google_auth_library4.GoogleAuth({
+    ...keyFilePath ? { keyFilename: keyFilePath } : {},
+    scopes: ["https://www.googleapis.com/auth/cloud-platform"]
+  });
+  const client = await auth.getClient();
+  const tokenResponse = await client.getAccessToken();
+  if (!tokenResponse.token) {
+    throw new Error(
+      "Failed to obtain a Google Cloud access token. Ensure you are authenticated via Application Default Credentials (run: gcloud auth application-default login) or provide --key-file pointing to a service account JSON key."
+    );
+  }
+  return tokenResponse.token;
+}
+async function gcpFetch(url, token, method = "GET", body) {
+  const response = await fetch(url, {
+    method,
+    headers: {
+      Authorization: `Bearer ${token}`,
+      "Content-Type": "application/json"
+    },
+    body: body !== void 0 ? JSON.stringify(body) : void 0
+  });
+  const data = await response.json();
+  if (!response.ok) {
+    const errData = data;
+    const message = errData.error?.message ?? `HTTP ${response.status}`;
+    throw new GcpApiError(message, response.status);
+  }
+  return data;
+}
+async function pollOperation(operationName, token, maxWaitMs = 6e4) {
+  const opUrl = operationName.startsWith("http") ? operationName : `https://iam.googleapis.com/v1/${operationName}`;
+  const deadline = Date.now() + maxWaitMs;
+  const maxWaitSecs = Math.round(maxWaitMs / 1e3);
+  while (Date.now() < deadline) {
+    const op = await gcpFetch(opUrl, token);
+    if (op.done) {
+      if (op.error) {
+        throw new Error(`Operation failed: ${op.error.message}`);
+      }
+      return;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 2e3));
+  }
+  if (Date.now() >= deadline) {
+    throw new Error(
+      `Operation timed out after ${maxWaitSecs} s. The resources may still be provisioning in the background \u2013 re-running the command is safe (existing resources are reused).`
+    );
+  }
+}
+async function getProjectNumber(projectId, token) {
+  const data = await gcpFetch(
+    `https://cloudresourcemanager.googleapis.com/v1/projects/${encodeURIComponent(projectId)}`,
+    token
+  );
+  return data.projectNumber;
+}
+async function createOrGetWifPool(projectId, poolId, token) {
+  try {
+    const op = await gcpFetch(
+      `https://iam.googleapis.com/v1/projects/${encodeURIComponent(projectId)}/locations/global/workloadIdentityPools?workloadIdentityPoolId=${encodeURIComponent(poolId)}`,
+      token,
+      "POST",
+      {
+        displayName: "GitHub Actions Pool",
+        description: "Pool for GitHub Actions OIDC authentication",
+        disabled: false
+      }
+    );
+    if (!op.done) {
+      await pollOperation(op.name, token);
+    } else if (op.error) {
+      throw new Error(`Operation failed: ${op.error.message}`);
+    }
+  } catch (err) {
+    if (err instanceof GcpApiError && err.status === 409) {
+      return;
+    }
+    throw err;
+  }
+}
+async function createOrGetWifProvider(projectId, poolId, providerId, githubRepo, token) {
+  try {
+    const op = await gcpFetch(
+      `https://iam.googleapis.com/v1/projects/${encodeURIComponent(projectId)}/locations/global/workloadIdentityPools/${encodeURIComponent(poolId)}/providers?workloadIdentityPoolProviderId=${encodeURIComponent(providerId)}`,
+      token,
+      "POST",
+      {
+        displayName: "GitHub OIDC Provider",
+        disabled: false,
+        attributeMapping: {
+          "google.subject": "assertion.sub",
+          "attribute.actor": "assertion.actor",
+          "attribute.repository": "assertion.repository"
+        },
+        // Scope the provider to this exact repository for security
+        attributeCondition: `assertion.repository=='${githubRepo}'`,
+        oidc: {
+          issuerUri: "https://token.actions.githubusercontent.com"
+        }
+      }
+    );
+    if (!op.done) {
+      await pollOperation(op.name, token);
+    } else if (op.error) {
+      throw new Error(`Operation failed: ${op.error.message}`);
+    }
+  } catch (err) {
+    if (err instanceof GcpApiError && err.status === 409) {
+      return;
+    }
+    throw err;
+  }
+}
+async function bindServiceAccount(projectId, serviceAccountEmail, projectNumber, poolId, githubRepo, token) {
+  const saResource = `projects/${encodeURIComponent(projectId)}/serviceAccounts/${encodeURIComponent(serviceAccountEmail)}`;
+  const principal = `principalSet://iam.googleapis.com/projects/${projectNumber}/locations/global/workloadIdentityPools/${poolId}/attribute.repository/${githubRepo}`;
+  const policy = await gcpFetch(
+    `https://iam.googleapis.com/v1/${saResource}:getIamPolicy`,
+    token,
+    "POST",
+    {}
+  );
+  const bindings = policy.bindings ?? [];
+  const role = "roles/iam.workloadIdentityUser";
+  const existing = bindings.find((b) => b.role === role);
+  if (existing) {
+    if (existing.members.includes(principal)) {
+      return;
+    }
+    existing.members.push(principal);
+  } else {
+    bindings.push({ role, members: [principal] });
+  }
+  await gcpFetch(
+    `https://iam.googleapis.com/v1/${saResource}:setIamPolicy`,
+    token,
+    "POST",
+    { policy: { ...policy, bindings } }
+  );
+}
+async function setupWIF(options) {
+  const poolId = options.poolId ?? "github-actions";
+  const providerId = options.providerId ?? "github-oidc";
+  const log = options.onProgress ?? (() => void 0);
+  if (!options.githubRepo.includes("/")) {
+    throw new Error(
+      `githubRepo must be in "owner/repo" format, got: "${options.githubRepo}"`
+    );
+  }
+  log("Authenticating with Google Cloud...");
+  const token = await getAccessToken4(options.keyFilePath);
+  log("Fetching project number...");
+  const projectNumber = await getProjectNumber(options.projectId, token);
+  log(`Creating Workload Identity Pool "${poolId}"...`);
+  await createOrGetWifPool(options.projectId, poolId, token);
+  log(`Creating OIDC Provider "${providerId}"...`);
+  await createOrGetWifProvider(
+    options.projectId,
+    poolId,
+    providerId,
+    options.githubRepo,
+    token
+  );
+  log("Binding service account permissions...");
+  await bindServiceAccount(
+    options.projectId,
+    options.serviceAccountEmail,
+    projectNumber,
+    poolId,
+    options.githubRepo,
+    token
+  );
+  const wifProvider = `projects/${projectNumber}/locations/global/workloadIdentityPools/${poolId}/providers/${providerId}`;
+  return { wifProvider, projectNumber, poolId, providerId };
+}
+async function grantDrivePermissions(options) {
+  const token = await getAccessToken4(options.keyFilePath);
+  const policy = await gcpFetch(
+    `https://cloudresourcemanager.googleapis.com/v1/projects/${encodeURIComponent(options.projectId)}:getIamPolicy`,
+    token,
+    "POST",
+    {}
+  );
+  const bindings = policy.bindings ?? [];
+  const role = "roles/drive.file";
+  const member = `serviceAccount:${options.serviceAccountEmail}`;
+  const existing = bindings.find((b) => b.role === role);
+  if (existing) {
+    if (existing.members.includes(member)) {
+      return;
+    }
+    existing.members.push(member);
+  } else {
+    bindings.push({ role, members: [member] });
+  }
+  await gcpFetch(
+    `https://cloudresourcemanager.googleapis.com/v1/projects/${encodeURIComponent(options.projectId)}:setIamPolicy`,
+    token,
+    "POST",
+    { policy: { ...policy, bindings } }
+  );
+}
+
 // src/index.ts
 var index_default = getSpreadSheetData;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   DEFAULT_IMAGE_EXTENSIONS,
   DEFAULT_WAIT_SECONDS,
+  GcpApiError,
   buildGoogleAuth,
   buildManifest,
   convertFromDataJsonFormat,
@@ -2512,6 +2733,7 @@ var index_default = getSpreadSheetData;
   getOriginalHeaderForLocale,
   getSpreadSheetData,
   getTranslationSummary,
+  grantDrivePermissions,
   handleBidirectionalSync,
   inferLocaleFromDocName,
   ingestDoc,
@@ -2529,6 +2751,7 @@ var index_default = getSpreadSheetData;
   resolveLocaleWithFallback,
   scanDriveFolderForDocs,
   scanDriveFolderForSpreadsheets,
+  setupWIF,
   slugifyKey,
   syncDriveImages,
   updateSpreadsheetWithLocalChanges,

package/dist/setup/cli.d.ts

@@ -0,0 +1,13 @@
+/**
+ * gst-setup-wif – Interactive CLI for configuring Workload Identity Federation.
+ *
+ * Usage:
+ *   npx -p @el-j/google-sheet-translations gst-setup-wif
+ *   npx -p @el-j/google-sheet-translations gst-setup-wif \
+ *     --project=my-gcp-project \
+ *     --service-account=deploy@my-gcp-project.iam.gserviceaccount.com \
+ *     --repo=myorg/myrepo \
+ *     --key-file=./service-account-key.json
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/setup/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/setup/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}

package/dist/setup/wifSetup.d.ts

@@ -0,0 +1,95 @@
+export interface WifSetupOptions {
+    /** Google Cloud project ID (e.g. "my-gcp-project") */
+    projectId: string;
+    /** Service account email (e.g. "deploy@my-gcp-project.iam.gserviceaccount.com") */
+    serviceAccountEmail: string;
+    /** GitHub repository in "owner/repo" format (e.g. "myorg/myrepo") */
+    githubRepo: string;
+    /** Workload Identity Pool ID (default: "github-actions") */
+    poolId?: string;
+    /** OIDC Provider ID (default: "github-oidc") */
+    providerId?: string;
+    /** Path to a service account JSON key file used for bootstrapping.
+     *  If omitted, Application Default Credentials (ADC) are used. */
+    keyFilePath?: string;
+    /** Optional callback invoked before each setup step for progress reporting. */
+    onProgress?: (step: string) => void;
+}
+export interface WifSetupResult {
+    /** Full WIF provider resource name – set this as the `WIF_PROVIDER` env var */
+    wifProvider: string;
+    /** Numeric Google Cloud project number */
+    projectNumber: string;
+    /** Workload Identity Pool ID used */
+    poolId: string;
+    /** OIDC Provider ID used */
+    providerId: string;
+}
+export interface GrantDrivePermissionsOptions {
+    /** Google Cloud project ID */
+    projectId: string;
+    /** Service account email to grant Drive access */
+    serviceAccountEmail: string;
+    /** Path to a service account JSON key file used for bootstrapping. */
+    keyFilePath?: string;
+}
+export declare class GcpApiError extends Error {
+    readonly status: number;
+    constructor(message: string, status: number);
+}
+/**
+ * Configures Workload Identity Federation (WIF) on Google Cloud so that
+ * GitHub Actions can authenticate without a long-lived service account key.
+ *
+ * This function is **idempotent**: re-running it when resources already exist
+ * is safe – existing pools, providers and IAM bindings are reused.
+ *
+ * Steps performed:
+ * 1. Resolves the numeric Google Cloud project number.
+ * 2. Creates (or reuses) a Workload Identity Pool named `poolId`.
+ * 3. Creates (or reuses) an OIDC Provider scoped to `githubRepo`.
+ * 4. Grants the service account the `roles/iam.workloadIdentityUser` role
+ *    for tokens originating from `githubRepo`.
+ *
+ * The returned {@link WifSetupResult.wifProvider} is the full provider resource
+ * name that should be set as the `WIF_PROVIDER` environment variable / GitHub
+ * Actions environment variable.
+ *
+ * @example
+ * ```typescript
+ * import { setupWIF } from '@el-j/google-sheet-translations';
+ *
+ * const result = await setupWIF({
+ *   projectId: 'my-gcp-project',
+ *   serviceAccountEmail: 'deploy@my-gcp-project.iam.gserviceaccount.com',
+ *   githubRepo: 'myorg/myrepo',
+ *   keyFilePath: './service-account-key.json',
+ *   onProgress: (step) => console.log(' ⏳', step),
+ * });
+ *
+ * console.log('WIF_PROVIDER =', result.wifProvider);
+ * ```
+ */
+export declare function setupWIF(options: WifSetupOptions): Promise<WifSetupResult>;
+/**
+ * Grants the service account `roles/drive.file` on the Google Cloud project.
+ *
+ * This is required when using the Drive-folder features of
+ * `@el-j/google-sheet-translations` (e.g. `manageDriveTranslations()`)
+ * so the service account can create and access spreadsheets inside a shared
+ * Drive folder.
+ *
+ * This function is **idempotent** – it checks the existing policy before
+ * adding the binding.
+ *
+ * @example
+ * ```typescript
+ * await grantDrivePermissions({
+ *   projectId: 'my-gcp-project',
+ *   serviceAccountEmail: 'deploy@my-gcp-project.iam.gserviceaccount.com',
+ *   keyFilePath: './service-account-key.json',
+ * });
+ * ```
+ */
+export declare function grantDrivePermissions(options: GrantDrivePermissionsOptions): Promise<void>;
+//# sourceMappingURL=wifSetup.d.ts.map