⭐ Add GCP Artifact Registry support with 9 new resource types and ~45 fields

[tas50]

Summary

Add GCP Artifact Registry support with 9 new resource types and ~45 fields:

New Resources

• gcp.project.artifactRegistryService - Top-level service resource with repository listing
• gcp.project.artifactRegistryService.repository - Registry repositories with full metadata, labels, IAM policy bindings, and sub-resources
• gcp.project.artifactRegistryService.repository.vulnScanConfig - Vulnerability scanning configuration (enablement state, config, last enable time)
• gcp.project.artifactRegistryService.repository.cleanupPolicy - Artifact cleanup policies with type discriminator (condition vs. mostRecentVersions)
• gcp.project.artifactRegistryService.repository.cleanupPolicy.condition - Condition-based cleanup (tag state, prefixes, age filters)
• gcp.project.artifactRegistryService.repository.cleanupPolicy.mostRecentVersions - Version-count-based cleanup (keep count, package prefixes)
• gcp.project.artifactRegistryService.repository.formatConfig - Format-specific config (Docker immutable tags, Maven version policy)
• gcp.project.artifactRegistryService.repository.modeConfig - Mode-specific config (virtual upstream policies, remote repo settings)
• gcp.project.artifactRegistryService.repository.upstreamPolicy - Virtual repository upstream policy entries

New Fields on repository

projectId, resourcePath, name, location, description, format, mode, labels, kmsKeyName, createTime, updateTime, sizeBytes, registryUri, satisfiesPzs, satisfiesPzi, cleanupPolicyDryRun, vulnerabilityScanningConfig, cleanupPolicies, formatConfig, modeConfig, iamPolicy()

Alias

gcp.artifactregistry → gcp.project.artifactRegistryService

> gcp.project.artifactRegistryService.repositories{*}
gcp.project.artifactRegistryService.repositories: [
  0: {
    projectId: "my-project"
    resourcePath: "projects/my-project/locations/us-central1/repositories/my-repo"
    name: "my-repo"
    location: "us-central1"
    description: "Docker images"
    format: "DOCKER"
    mode: "STANDARD_REPOSITORY"
    labels: {}
    kmsKeyName: ""
    sizeBytes: 1048576
    registryUri: "us-central1-docker.pkg.dev/my-project/my-repo"
    satisfiesPzs: false
    satisfiesPzi: false
    cleanupPolicyDryRun: false
    formatConfig: gcp.project.artifactRegistryService.repository.formatConfig id="..."
    modeConfig: gcp.project.artifactRegistryService.repository.modeConfig id="..."
    vulnerabilityScanningConfig: gcp.project.artifactRegistryService.repository.vulnScanConfig id="..."
    cleanupPolicies: []
  }
]

Test plan

• Build and install GCP provider: make providers/build/gcp && make providers/install/gcp
• Verify repository listing: mql shell gcp --project <project> then gcp.artifactregistry.repositories
• Verify sub-resources: gcp.artifactregistry.repositories { formatConfig { * } }
• Verify IAM: gcp.artifactregistry.repositories { iamPolicy { role members } }
• Verify cleanup policies: gcp.artifactregistry.repositories { cleanupPolicies { policyType action } }
• CI passes (spellcheck, lint, generated files)

🤖 Generated with Claude Code

[github-actions]

Test Results

5 276 tests  +15   5 272 ✅ +15   2m 3s ⏱️ -13s
  410 suites ± 0       4 💤 ± 0 
   31 files   ± 0       0 ❌ ± 0 

Results for commit 402e9ed. ± Comparison against base commit 0bbaa5c.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Solid implementation following established patterns; two design issues could mislead MQL policy authors.

[mondoo-code-review]

One potential nil-pointer panic in the init function; everything else follows established patterns.

[mondoo-code-review]

This PR adds GCP Artifact Registry support as a new resource provider. The implementation follows established patterns from other GCP services (alloydb, bigtable, etc.). The code is well-structured with proper sub-resource decomposition, IAM policy support, and unit tests for pure functions. A few issues worth noting: a version inconsistency in the versions file, a potential nil pointer dereference in the repository init function, and the location enumeration approach (iterating all locations before listing repositories) could be slow for projects with many locations but appears intentional given the API limitation noted in comments.

[mondoo-code-review]

Solid implementation with one correctness issue in the init threshold and a nil-slice edge case in ArrayData calls.

[mondoo-code-review]

Well-structured implementation that follows established GCP provider patterns; two actionable issues worth fixing before merge.

Superseded by new review

[mondoo-code-review]

This PR adds GCP Artifact Registry support as a new provider resource. The change is well-structured and follows established patterns in the codebase. The implementation covers repositories, IAM policy bindings, vulnerability scanning config, cleanup policies, format config, and mode config. A few minor issues worth noting: a version inconsistency in the versions file, and a potential nil-pointer dereference in the IAM policy loop. Overall the change is consistent and mechanically sound.

[mondoo-code-review]

This PR adds GCP Artifact Registry support as a new MQL resource provider. The implementation follows established patterns from other GCP services (alloydb, bigtable, etc.) and is structurally consistent. The code correctly handles the Artifact Registry API's lack of wildcard location support by enumerating locations first. Sub-resources are properly decomposed. Tests cover the pure functions. A few minor issues noted below.

[mondoo-code-review]

New AWS resources (Route 53, Lambda, WorkSpaces, etc.), Ubuntu Pro detection, and LEDE platform support added without issues.