I am experiencing a persistent issue with Google Cloud Workload Identity Federation (WIF) that is preventing my GitHub Actions workflow from deploying to Firebase Hosting. My workflow is configured to use WIF to authenticate with Google Cloud, but the google-github-actions/auth action consistently fails with an invalid_grant error, specifically indicating an audience mismatch. The exact error message from github 'actions' is:

Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/MY_ID/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider2: {"error":"invalid_grant","error_description":"The audience in ID Token [https://iam.googleapis.com/projects/MY_ID/locations/global/workloadIdentityPools/github-actions-pool...] does not match the expected audience sts.googleapis.com."}

(MY_ID is set to my github project id.)

Despite these extensive troubleshooting steps, the google-github-actions/auth action continues to fail with the same audience mismatch error. This strongly suggests that there is an issue on the Google Cloud side, possibly with how the Workload Identity Provider is generating or validating the tokens.

I started with copilot in visual studio code, where I set up everything initially. Once I had issues with the 'Run google-github-actions/auth@v2', I tried using gemini to  address the WIF attributes. Me and my AI guys make progress every time but the issue persists. Please help. I think there may something I need to set up, or setup incorrectly within google console itself (eg. above WIF, maybe a google console API) since I am just setting everything up, at this point.