Merge branch 'main' into fix-fast-sql-query-b467064659

Author: jinseopkim0

.github/workflows/librarian_generation_check.yaml

@@ -73,6 +73,9 @@ jobs:
       run: |
         if [ -n "$(git status --porcelain)" ]; then
           git status
+          echo "==================== GIT DIFF ===================="
+          git diff
+          echo "=================================================="
           echo "Regeneration produced code changes! Please run 'librarian generate --all' to update the generated files."
           exit 1
         fi

…thub/workflows/generated_files_sync.yaml .github/workflows/repository_sanity.yaml.github/workflows/generated_files_sync.yaml renamed to .github/workflows/repository_sanity.yaml .github/workflows/generated_files_sync.yaml renamed to .github/workflows/repository_sanity.yaml

@@ -15,73 +15,8 @@
 # downstream client libraries before they are released.
 on:
   pull_request:
-name: generation diff
-env:
-  library_generation_image_tag: 2.73.0  # {x-version-update:gapic-generator-java:current}
+name: Repository Config & Code Sanity
 jobs:
-  root-pom:
-    # root pom.xml does not have diff from generated one
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Generate root pom.xml file
-      shell: bash
-      run: |
-        bash generation/run_generator_docker.sh "${library_generation_image_tag}" "${{ github.base_ref }}" \
-          --quiet \
-          -u "$(id -u):$(id -g)" \
-          -v "$(pwd):/workspace" \
-          --entrypoint python \
-          -- \
-          /src/library_generation/cli/generate_monorepo_root_pom.py \
-          generate \
-          --repository-path=/workspace
-    - name: Fail if there's any difference
-      run: git --no-pager diff --exit-code
-
-  gapic-bom:
-    # gapic-libraries-bom does not have diff from generated one
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Generate gapic-libraries-bom/pom.xml
-      shell: bash
-      run: |
-        bash generation/run_generator_docker.sh "${library_generation_image_tag}" "${{ github.base_ref }}" \
-          --quiet \
-          -u "$(id -u):$(id -g)" \
-          -v "$(pwd):/workspace" \
-          --entrypoint python \
-          -- \
-          /src/library_generation/cli/generate_monorepo_gapic_bom.py \
-          generate \
-          --repository-path=/workspace \
-          --versions-file=/workspace/versions.txt
-    - name: Fail if there's any difference
-      run: git --no-pager diff --exit-code
-
-  owlbot-py:
-    # applying templated owlbot.py config doesn't create a diff
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Generate owlbot.py files
-        run: |
-          bash generation/update_owlbot_postprocessor_config.sh
-      - name: Fail if there's any difference (To fix, run generation/update_owlbot_postprocessor_config.sh)
-        run: git --no-pager diff --exit-code
-
-  owlbot-yaml:
-    # Each module's .Owlbot-hermetic.yaml config is configured according to set_owlbot_config.sh
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check if .Owlbot-hermetic.yaml files are correctly configured
-        run: |
-          bash generation/set_owlbot_config.sh
-      - name: Fail if there's any difference (To fix, run generation/set_owlbot_config.sh)
-        run: git --no-pager diff --exit-code
-
   gitignore_correctness:
     # Generated files should not match .gitignore
     runs-on: ubuntu-latest

.github/workflows/update_librarian_googleapis.yaml

@@ -128,7 +128,10 @@ jobs:
       env:
         GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_GITHUB_TOKEN }}
         PR_TITLE: "chore: update googleapis commitish to ${{ steps.commit.outputs.short_commit }}"
-        PR_BODY: "Updated googleapis commitish in librarian.yaml and generation_config.yaml to https://github.com/googleapis/googleapis/commit/${{ steps.commit.outputs.new_commit }}"
+        PR_BODY: |
+          Updated googleapis commitish in librarian.yaml and generation_config.yaml to https://github.com/googleapis/googleapis/commit/${{ steps.commit.outputs.new_commit }}
+
+          💡 **Note:** Please merge or close this PR so that the daily update workflow can continue to run successfully the next day. Alternatively, you can manually trigger the workflow once this PR is merged or closed.
       run: |
         set -x
         

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "1.87.0"
+  ".": "1.87.1"
 }

gapic-libraries-bom/pom.xml

@@ -4,7 +4,7 @@
   <groupId>com.google.cloud</groupId>
   <artifactId>gapic-libraries-bom</artifactId>
   <packaging>pom</packaging>
-  <version>1.87.0</version><!-- {x-version-update:google-cloud-java:current} -->
+  <version>1.87.1</version><!-- {x-version-update:google-cloud-java:current} -->
   <name>Google Cloud Java BOM</name>
   <description>
     BOM for the libraries in google-cloud-java repository. Users should not
@@ -241,7 +241,7 @@
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>google-cloud-biglake-bom</artifactId>
-        <version>0.81.0</version><!-- {x-version-update:google-cloud-biglake:current} -->
+        <version>0.81.1</version><!-- {x-version-update:google-cloud-biglake:current} -->
         <type>pom</type>
         <scope>import</scope>
       </dependency>

google-auth-library-java/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java

@@ -146,7 +146,7 @@ public class ClientSideCredentialAccessBoundaryFactory {
   private final Duration refreshMargin;
   private RefreshTask refreshTask;
   private final Object refreshLock = new byte[0];
-  private IntermediateCredentials intermediateCredentials = null;
+  private volatile IntermediateCredentials intermediateCredentials = null;
   private final Clock clock;
   private final CelCompiler celCompiler;
 
@@ -234,8 +234,26 @@ void refreshCredentialsIfRequired() throws IOException {
       return;
     }
 
-    // If a refresh is required, create or retrieve the refresh task.
-    RefreshTask currentRefreshTask = getOrCreateRefreshTask();
+    RefreshTask currentRefreshTask;
+    // Synchronize both the decision to refresh and the task creation to prevent a race
+    // condition. Without this, multiple threads might concurrently determine a refresh is
+    // needed (e.g., in ASYNC mode) and return ASYNC. The first thread would start the refresh
+    // task. If that task completes quickly and clears the `refreshTask` reference, a subsequent
+    // thread that also determined a refresh was needed would then see `refreshTask` as null
+    // and incorrectly start a second, redundant refresh task.
+    synchronized (refreshLock) {
+      // Re-evaluate the refresh type under the lock, as another thread might have completed
+      // the refresh while this thread was waiting for the lock.
+      refreshType = determineRefreshType();
+
+      if (refreshType == RefreshType.NONE) {
+        // No refresh needed, token is still valid.
+        return;
+      }
+
+      // If a refresh is required, create or retrieve the refresh task.
+      currentRefreshTask = getOrCreateRefreshTask();
+    }
 
     // Handle the refresh based on the determined refresh type.
     switch (refreshType) {
@@ -283,16 +301,14 @@ void refreshCredentialsIfRequired() throws IOException {
     }
   }
 
+  // Assumes the caller holds refreshLock.
   private RefreshType determineRefreshType() {
-    AccessToken intermediateAccessToken;
-    synchronized (refreshLock) {
-      if (intermediateCredentials == null
-          || intermediateCredentials.intermediateAccessToken == null) {
-        // A blocking refresh is needed if the intermediate access token doesn't exist.
-        return RefreshType.BLOCKING;
-      }
-      intermediateAccessToken = intermediateCredentials.intermediateAccessToken;
+    if (intermediateCredentials == null
+        || intermediateCredentials.intermediateAccessToken == null) {
+      // A blocking refresh is needed if the intermediate access token doesn't exist.
+      return RefreshType.BLOCKING;
     }
+    AccessToken intermediateAccessToken = intermediateCredentials.intermediateAccessToken;
 
     Date expirationTime = intermediateAccessToken.getExpirationTime();
     if (expirationTime == null) {
@@ -322,23 +338,22 @@ private RefreshType determineRefreshType() {
    * responsibility of the caller to execute it. The task will clear the single flight slot upon
    * completion.
    */
+  // Assumes the caller holds refreshLock.
   private RefreshTask getOrCreateRefreshTask() {
-    synchronized (refreshLock) {
-      if (refreshTask != null) {
-        // An existing refresh task is already in progress. Return a NEW RefreshTask instance with
-        // the existing task, but set isNew to false. This indicates to the caller that a new
-        // refresh task was NOT created.
-        return new RefreshTask(refreshTask.task, false);
-      }
+    if (refreshTask != null) {
+      // An existing refresh task is already in progress. Return a NEW RefreshTask instance with
+      // the existing task, but set isNew to false. This indicates to the caller that a new
+      // refresh task was NOT created.
+      return new RefreshTask(refreshTask.task, false);
+    }
 
-      final ListenableFutureTask<IntermediateCredentials> task =
-          ListenableFutureTask.create(this::fetchIntermediateCredentials);
+    final ListenableFutureTask<IntermediateCredentials> task =
+        ListenableFutureTask.create(this::fetchIntermediateCredentials);
 
-      // Store the new refresh task in the refreshTask field before returning. This ensures that
-      // subsequent calls to this method will return the existing task while it's still in progress.
-      refreshTask = new RefreshTask(task, true);
-      return refreshTask;
-    }
+    // Store the new refresh task in the refreshTask field before returning. This ensures that
+    // subsequent calls to this method will return the existing task while it's still in progress.
+    refreshTask = new RefreshTask(task, true);
+    return refreshTask;
   }
 
   /**

google-auth-library-java/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java

@@ -70,7 +70,6 @@
 import java.util.Map;
 import java.util.concurrent.CountDownLatch;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 /**
@@ -325,7 +324,6 @@ void refreshCredentialsIfRequired_blockingMultiThread() throws IOException, Inte
   }
 
   @Test
-  @Disabled("Flaky test: https://github.com/googleapis/google-cloud-java/issues/12871")
   void refreshCredentialsIfRequired_asyncMultiThread() throws IOException, InterruptedException {
     final ClientSideCredentialAccessBoundaryFactory factory =
         getClientSideCredentialAccessBoundaryFactory(RefreshType.ASYNC);
@@ -623,10 +621,16 @@ private Clock createMockClock(RefreshType refreshType, GoogleCredentials sourceC
         // (within the refresh margin).
         mockedTimeInMillis = expirationTimeInMillis - refreshMarginInMillis + 60000;
         when(mockClock.currentTimeMillis())
-            .thenReturn(
-                mockedTimeInMillis, // First call: Stale (triggers the async refresh)
-                currentTimeInMillis // Subsequent calls: Fresh (skips redundant refreshes)
-                );
+            .thenAnswer(
+                invocation -> {
+                  // If the async refresh has already been triggered (request count >= 2),
+                  // return the fresh time to skip redundant refreshes.
+                  // Note: 1st request was the initial blocking refresh.
+                  if (mockStsTransportFactory.transport.getRequestCount() >= 2) {
+                    return currentTimeInMillis;
+                  }
+                  return mockedTimeInMillis;
+                });
         break;
       case BLOCKING:
         // Set mocked time so that the token requires immediate refresh (just after the minimum

java-accessapproval/google-cloud-accessapproval-bom/pom.xml

@@ -20,6 +20,7 @@
 
   <dependencyManagement>
     <dependencies>
+      <!-- {x-generated-dependencies-start} -->
       <dependency>
         <groupId>com.google.cloud</groupId>
         <artifactId>google-cloud-accessapproval</artifactId>
@@ -35,6 +36,7 @@
         <artifactId>proto-google-cloud-accessapproval-v1</artifactId>
         <version>2.94.0</version><!-- {x-version-update:proto-google-cloud-accessapproval-v1:current} -->
       </dependency>
+      <!-- {x-generated-dependencies-end} -->
     </dependencies>
   </dependencyManagement>
 </project>

java-accessapproval/google-cloud-accessapproval/pom.xml

@@ -40,10 +40,12 @@
       <groupId>com.google.api.grpc</groupId>
       <artifactId>proto-google-common-protos</artifactId>
     </dependency>
+    <!-- {x-generated-proto-dependencies-start} -->
     <dependency>
       <groupId>com.google.api.grpc</groupId>
       <artifactId>proto-google-cloud-accessapproval-v1</artifactId>
     </dependency>
+    <!-- {x-generated-proto-dependencies-end} -->
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
@@ -71,11 +73,13 @@
       <artifactId>junit</artifactId>
       <scope>test</scope>
     </dependency>
+    <!-- {x-generated-grpc-dependencies-start} -->
     <dependency>
       <groupId>com.google.api.grpc</groupId>
       <artifactId>grpc-google-cloud-accessapproval-v1</artifactId>
       <scope>test</scope>
     </dependency>
+    <!-- {x-generated-grpc-dependencies-end} -->
     <!-- Need testing utility classes for generated gRPC clients tests -->
         <dependency>
       <groupId>com.google.api</groupId>

java-accessapproval/pom.xml

@@ -26,6 +26,7 @@
 
   <dependencyManagement>
     <dependencies>
+      <!-- {x-generated-dependencies-start} -->
       <dependency>
         <groupId>com.google.api.grpc</groupId>
         <artifactId>proto-google-cloud-accessapproval-v1</artifactId>
@@ -41,15 +42,18 @@
         <artifactId>google-cloud-accessapproval</artifactId>
         <version>2.94.0</version><!-- {x-version-update:google-cloud-accessapproval:current} -->
       </dependency>
+      <!-- {x-generated-dependencies-end} -->
 
       <!-- Test dependencies -->
     </dependencies>
   </dependencyManagement>
 
   <modules>
+    <!-- {x-generated-modules-start} -->
     <module>google-cloud-accessapproval</module>
     <module>grpc-google-cloud-accessapproval-v1</module>
     <module>proto-google-cloud-accessapproval-v1</module>
+    <!-- {x-generated-modules-end} -->
     <module>google-cloud-accessapproval-bom</module>
   </modules>