[log] oidc: add debug logging to provider.go (#4246)

Adds `logOIDC` debug logging calls to `internal/oidc/provider.go` to
improve traceability for OIDC token lifecycle operations.

## Changes

**File modified:** `internal/oidc/provider.go` (4 new log calls)

| Location | Log call | Purpose |
|---|---|---|
| `NewProvider` | `logOIDC.Printf("Creating OIDC provider:
requestURL=%s, hasToken=%v", ...)` | Log provider initialization |
| `fetchToken` | `logOIDC.Printf("OIDC token HTTP response: status=%d,
bodyLen=%d", ...)` | Log HTTP response before error check |
| `extractJWTExpiry` | `logOIDC.Printf("Parsing JWT expiry:
partCount=%d, payloadLen=%d", ...)` | Log JWT parsing entry point |
| `extractJWTExpiry` | `logOIDC.Printf("JWT expiry parsed: exp=%d,
expiresAt=%s", ...)` | Log successful expiry extraction |

The `extractJWTExpiry` function previously had zero debug visibility —
these additions make it much easier to diagnose JWT parsing failures and
token expiry edge cases.

## Existing logger reused

The file already declares `var logOIDC = logger.New("oidc:provider")` —
no new logger was added.

Enable with: `DEBUG=oidc:* ./awmg --config config.toml`

## Validation

- `go build ./...` ✅
- `go vet ./...` ✅  
- `go test ./internal/oidc/...` ✅ (all 10 tests pass)
- `go test ./internal/...` ✅ (one pre-existing unrelated failure in
`internal/config`)




> [!WARNING]
> <details>
> <summary><strong>⚠️ Firewall blocked 1 domain</strong></summary>
>
> The following domain was blocked by the firewall during workflow
execution:
>
> - `invalidhostthatdoesnotexist12345.com`
>
> To allow these domains, add them to the `network.allowed` list in your
workflow frontmatter:
>
> ```yaml
> network:
>   allowed:
>     - defaults
>     - "invalidhostthatdoesnotexist12345.com"
> ```
>
> See [Network
Configuration](https://github.github.com/gh-aw/reference/network/) for
more information.
>
> </details>


> Generated by [Go Logger
Enhancement](https://github.com/github/gh-aw-mcpg/actions/runs/24705145580/agentic_workflow)
· ● 4.2M ·
[◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+go-logger%22&type=pullrequests)

<!-- gh-aw-agentic-workflow: Go Logger Enhancement, engine: copilot,
model: auto, id: 24705145580, workflow_id: go-logger, run:
https://github.com/github/gh-aw-mcpg/actions/runs/24705145580 -->

<!-- gh-aw-workflow-id: go-logger -->

Author: lpcox

internal/oidc/provider.go

@@ -59,6 +59,7 @@ func ErrMissingOIDCEnvVar(serverID string) error {
 // These values come from the ACTIONS_ID_TOKEN_REQUEST_URL and
 // ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variables respectively.
 func NewProvider(requestURL, requestToken string) *Provider {
+	logOIDC.Printf("Creating OIDC provider: requestURL=%s, hasToken=%v", requestURL, requestToken != "")
 	return &Provider{
 		requestURL:   requestURL,
 		requestToken: requestToken,
@@ -126,6 +127,7 @@ func (p *Provider) fetchToken(ctx context.Context, audience string) (string, tim
 		return "", time.Time{}, fmt.Errorf("failed to read OIDC token response: %w", err)
 	}
 
+	logOIDC.Printf("OIDC token HTTP response: status=%d, bodyLen=%d", resp.StatusCode, len(body))
 	if resp.StatusCode != http.StatusOK {
 		return "", time.Time{}, fmt.Errorf("OIDC token request returned HTTP %d: %s", resp.StatusCode, string(body))
 	}
@@ -161,6 +163,8 @@ func extractJWTExpiry(jwtToken string) (time.Time, error) {
 		return time.Time{}, fmt.Errorf("malformed JWT: expected 3 parts, got %d", len(parts))
 	}
 
+	logOIDC.Printf("Parsing JWT expiry: partCount=%d, payloadLen=%d", len(parts), len(parts[1]))
+
 	// Decode the payload (second part) with base64url encoding
 	// JWT uses base64url without padding, so we add padding as needed
 	payload := parts[1]
@@ -186,5 +190,7 @@ func extractJWTExpiry(jwtToken string) (time.Time, error) {
 		return time.Time{}, fmt.Errorf("JWT has no exp claim")
 	}
 
-	return time.Unix(claims.Exp, 0), nil
+	expiresAt := time.Unix(claims.Exp, 0)
+	logOIDC.Printf("JWT expiry parsed: exp=%d, expiresAt=%s", claims.Exp, expiresAt.Format(time.RFC3339))
+	return expiresAt, nil
 }