feat(google-pubsub): add Application Default Credentials (ADC) support to Google Pub/Sub connector

[tuantran0910]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This PR adds support for Google Application Default Credentials (ADC) to the Google Cloud Pub/Sub connector.

Previously, users were required to explicitly provide the pubsub.credentials parameter with a JSON string containing service account credentials. Now, the connector can automatically use Google's ADC when no explicit credentials are provided, improving the developer experience and simplifying configuration.

Closes #24646

Usage

When pubsub.credentials is not specified, the connector searches for credentials in the following order:

1. GOOGLE_APPLICATION_CREDENTIALS_JSON environment variable (JSON content)
2. GOOGLE_APPLICATION_CREDENTIALS environment variable (file path)
3. Well-known file: $HOME/.config/gcloud/application_default_credentials.json
4. Google Cloud metadata server (when running on GCE/GKE)

How to test

First, create a Google Cloud Pubsub topic:

gcloud pubsub topics create risingwave

gcloud pubsub subscriptions create risingwave-sub \
  --topic=risingwave

Second, create Risingwave table with connector google_pubsub:

CREATE TABLE pubsub_source_v3 (
  text STRING
) WITH (
  connector = 'google_pubsub',
  pubsub.subscription = 'projects/<PROJECT_NAME>/subscriptions/risingwave-sub'
) FORMAT PLAIN ENCODE JSON;

Third, publish message into the topic:

gcloud pubsub topics publish risingwave \
  --message='{"text": "Hello from Pub/Sub!"}'

gcloud pubsub topics publish risingwave \
  --message='{"text": "Hello from Pub/Sub! I love RisingWave!"}'

Finally, check the result:

SELECT * FROM pubsub_source_v3;
                   text                    
-------------------------------------------
 Hello from Pub/Sub!
 Hello from Pub/Sub! I love RisingWave!
(2 rows)

Checklist

• I have written necessary rustdoc comments.
• I have added necessary unit tests and integration tests.
• I have added test labels as necessary.
• I have added fuzzing tests or opened an issue to track them.
• My PR contains breaking changes.
• My PR changes performance-critical code, so I will run (micro) benchmarks and present the results.
• I have checked the Release Timeline and Currently Supported Versions to determine which release branches I need to cherry-pick this PR into.

Documentation

• My PR needs documentation updates.

Release note

[Copilot]

Pull request overview

This PR extends the Google Pub/Sub source and sink to support Google Application Default Credentials (ADC), allowing connectors to authenticate without explicitly embedding service account JSON in configuration. It also updates tests and documentation to align with the new ADC-based authentication flow.

Changes:

• Remove hard requirements for explicit pubsub.credentials / pubsub.emulator_host in the Pub/Sub source and sink, and wire the sink to use DefaultTokenSourceProvider (ADC) when neither is provided.
• Enhance error messages for missing Pub/Sub subscriptions and failed ADC initialization to guide users toward correct ADC configuration (env vars, gcloud auth application-default login, workload identity).
• Update the Pub/Sub SLT test to expect ADC-related initialization errors and add documentation describing how to configure and test ADC-based authentication for connectors.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/connector/src/source/google_pubsub/enumerator/client.rs	Relaxes the previous “credentials or emulator required” constraint and augments the subscription-not-found error message with ADC configuration guidance.
src/connector/src/sink/google_pubsub.rs	Changes sink environment selection to fall back to Google ADC (DefaultTokenSourceProvider::new) when no explicit credentials or emulator host are provided, with a detailed error message on ADC failure.
e2e_test/source_inline/pubsub/pubsub.slt.serial	Adjusts the expected error for creating a Pub/Sub source without credentials to match the new ADC-based initialization failure path.
docs/dev/src/connector/intro.md	Adds a section explaining how to configure and use ADC (locally and in CI/CD) for Google Pub/Sub connector testing.

[Copilot]

The updated error message mixes two different concerns: the subscription not existing and ADC credential configuration. At this point we have already successfully initialized the Pub/Sub client and received a not found for the subscription, so issues with ADC credentials would have failed earlier (e.g. during with_auth() / client creation) instead of reaching this branch. To avoid misleading users who simply have a wrong subscription or project, consider keeping this message focused on the missing subscription (optionally mentioning project ID) and moving ADC guidance to the places where authentication actually fails.

Suggested change

	If not using emulator, ensure Google ADC is configured: \
	set `pubsub.credentials` parameter, or configure GOOGLE_APPLICATION_CREDENTIALS_JSON/GOOGLE_APPLICATION_CREDENTIALS environment variables, \
	or run on Google Cloud with appropriate service account",
	Please verify that the subscription name and project ID are correct.",

[Copilot]

This SLT expectation now depends on low-level error text from DNS resolution ("failed to lookup address information") and on the exact wording of the Google Cloud ADC initialization error, both of which are owned by external libraries/OS and may change between versions or environments. To keep the test stable, consider matching only on a stable, project-controlled part of the error message (e.g., the generic connector error label or a short context string you add yourself) instead of tying the assertion to the full upstream/OS error phrasing.