feat: add GAR Helm chart support to credential providers

[filip-aipl]

Fixes #4801

Summary

Adds Google Artifact Registry (GAR) Helm chart support to existing credential providers.

Changes

• Enable credentials.TypeHelm support in GAR ServiceAccountKeyProvider and WorkloadIdentityFederationProvider
• Update regex patterns to handle oci:// prefix for GAR/GCR Helm chart URLs
• Document GAR Helm chart authentication in user guides

Problem Solved

Fixes "Unauthenticated request" errors when Kargo warehouses attempt to discover Helm charts from Google Artifact Registry repositories.

Testing

• All existing tests pass
• New test cases verify Helm chart authentication support
• Follows existing ECR provider patterns for consistency
• Tested live on local Kargo build with existing registries

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	4939fdb
🔍 Latest deploy log	https://app.netlify.com/projects/docs-kargo-io/deploys/68a41192eb9f980008b412aa
😎 Deploy Preview	https://deploy-preview-4637.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[filip-aipl]

Is there anything else I have to do on my side? @hiddeco

[krancour]

I think this was covered already on lines 634 - 636.

Suggested change

	For OCI Helm chart repositories (like Google Artifact Registry), use the `oci://` prefix and omit the `name` field:
	```yaml
	spec:
	subscriptions:
	- chart:
	repoURL: oci://us-central1-docker.pkg.dev/my-project/my-helm-charts/my-chart
	semverConstraint: ^1.0.0
	```

[krancour]

Not sure why this line was added, but most markdown linters do not like double line breaks.

Suggested change

[krancour]

It may be worth replacing or augmenting this with an example, since image repo URLs do not have leading oci:// while chart repo URLs do.

[krancour]

Same as here.

[krancour]

This feels like an "afterthought." I'd suggest that we rewind all the way to line 520 and introduce the two examples like:

To use this option, your `Secret` should take the following form:

* For a container image repository:

  ```yaml
  < example goes here>
  ```

* For an OCI Helm chart repository:

  ```yaml
  < example goes here>
  ```

[krancour]

Nit: This feels easier to comprehend, although this isn't a hill I'd die on. Up to you.

Suggested change

	if (credType != credentials.TypeImage && credType != credentials.TypeHelm) ||
	if !(credType == credentials.TypeImage || credType == credentials.TypeHelm) ||

[krancour]

All of these are OCI. Helm charts are just more in your face about the fact because, for whatever reason, Helm chose to use a leading oci:// with URLs for OCI repos. Kargo just follows their lead, because if that's what Helm users are accustomed to, who are we to argue?

I would suggest naming these this way for accuracy and clarity:

Suggested change

	fakeGCRRepoURL = "gcr.io/my-project/my-repo"
	fakeGARRepoURL = "us-central1-docker.pkg.dev/my-project/my-repo"
	fakeGCROCIRepoURL = "oci://gcr.io/my-project/my-repo"
	fakeGAROCIRepoURL = "oci://us-central1-docker.pkg.dev/my-project/my-repo"
	fakeGCRImageRepoURL = "gcr.io/my-project/my-repo"
	fakeGARImageRepoURL = "us-central1-docker.pkg.dev/my-project/my-repo"
	fakeGCRChartRepoURL = "oci://gcr.io/my-project/my-repo"
	fakeGARChartRepoURL = "oci://us-central1-docker.pkg.dev/my-project/my-repo"

[krancour]

The scope of this PR creeps too much if we want to fix this now, so I'd like to just leave this note here for myself.

Suggested change

	gcrURLRegex = regexp.MustCompile(`^(?:oci://)?(?:.+\.)?gcr\.io/`) // Legacy
	garURLRegex = regexp.MustCompile(`^(?:oci://)?(.+-docker\.pkg\.dev/)`)
	// TODO(krancour): Repo URLs are not currently normalized prior to credential
	// providers being invoked. When that is fixed, the optional leading `oci://`
	// can be removed from these regular expressions.
	gcrURLRegex = regexp.MustCompile(`^(?:oci://)?(?:.+\.)?gcr\.io/`) // Legacy
	garURLRegex = regexp.MustCompile(`^(?:oci://)?(.+-docker\.pkg\.dev/)`)

[krancour]

Same as here.

[krancour]

Thank you for this @filip-aipl. I left some minor, easily-addressable comments. This all checks out end-to-end. As soon as this is cleaned up, I'll approve. Thanks again!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.17%. Comparing base (11ea88a) to head (4939fdb).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4637      +/-   ##
==========================================
+ Coverage   54.16%   54.17%   +0.01%     
==========================================
  Files         395      395              
  Lines       33896    33904       +8     
==========================================
+ Hits        18359    18367       +8     
  Misses      14608    14608              
  Partials      929      929              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.