fix: replace orchestrator-develop branch references with main

The orchestrator-develop branch no longer exists. Update all fallback
clone commands and test fixtures to use main instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

action.yml

@@ -182,8 +182,8 @@ inputs:
     required: false
     default: ''
     description:
-      '[Orchestrator] Run a custom job instead of the standard build automation for orchestrator (in yaml format with the
-      keys image, secrets (name, value object array), command line string)'
+      '[Orchestrator] Run a custom job instead of the standard build automation for orchestrator (in yaml format with
+      the keys image, secrets (name, value object array), command line string)'
   awsStackName:
     default: 'game-ci'
     required: false
@@ -194,15 +194,6 @@ inputs:
     description:
       '[Orchestrator] Either local, k8s or aws can be used to run builds on a remote cluster. Additional parameters must
       be configured.'
-  secretSource:
-    default: ''
-    required: false
-    description:
-      '[Orchestrator] Premade secret source for pulling build secrets. Supported values: aws-secrets-manager,
-      aws-parameter-store, gcp-secret-manager, azure-key-vault, hashicorp-vault, hashicorp-vault-kv1,
-      vault (alias for hashicorp-vault), env. Can also be a custom shell command with {0} placeholder
-      for the key, or a path to a YAML file defining custom sources. Takes precedence over
-      inputPullCommand when set.'
   resourceTracking:
     default: 'false'
     required: false
@@ -288,6 +279,120 @@ inputs:
     description:
       '[Orchestrator] Specifies the repo for the unity builder. Useful if you forked the repo for testing, features, or
       fixes.'
+  gcpProject:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] Google Cloud project ID for Cloud Run Jobs provider. Falls back to
+      GOOGLE_CLOUD_PROJECT env var.'
+  gcpRegion:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] Google Cloud region for Cloud Run Jobs (e.g. us-central1). Defaults to the region
+      input if empty.'
+  gcpStorageType:
+    required: false
+    default: 'gcs-fuse'
+    description:
+      '[Orchestrator] [Experimental] Storage type for Cloud Run Jobs. Options: gcs-fuse (mount GCS bucket as filesystem,
+      unlimited size, best for large sequential I/O), gcs-copy (copy artifacts in/out via gsutil, simpler, no FUSE
+      overhead), nfs (Filestore NFS mount, true POSIX, good random I/O, up to 100 TiB), in-memory (tmpfs, fastest but
+      volatile, up to 32 GiB).'
+  gcpBucket:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] GCS bucket name for build artifact storage. Used by gcs-fuse and gcs-copy storage
+      types.'
+  gcpFilestoreIp:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] Filestore instance IP address for NFS storage type. Required when gcpStorageType is
+      nfs.'
+  gcpFilestoreShare:
+    required: false
+    default: '/share1'
+    description:
+      '[Orchestrator] [Experimental] Filestore share name for NFS storage type. Defaults to /share1 (the Filestore
+      default).'
+  gcpMachineType:
+    required: false
+    default: 'e2-standard-4'
+    description: '[Orchestrator] [Experimental] Machine type for Cloud Run Jobs (e.g. e2-standard-4, e2-highmem-8).'
+  gcpDiskSizeGb:
+    required: false
+    default: '100'
+    description:
+      '[Orchestrator] [Experimental] Disk size in GB for Cloud Run Jobs in-memory volumes. Only applies to in-memory
+      storage type (max 32).'
+  gcpServiceAccount:
+    required: false
+    default: ''
+    description: '[Orchestrator] [Experimental] Google Cloud service account email for Cloud Run Jobs execution.'
+  gcpVpcConnector:
+    required: false
+    default: ''
+    description: '[Orchestrator] [Experimental] VPC connector name for Cloud Run Jobs private networking.'
+  azureResourceGroup:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] Azure resource group for Container Instances provider. Falls back to
+      AZURE_RESOURCE_GROUP env var.'
+  azureLocation:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] Azure region for Container Instances (e.g. eastus, westeurope). Defaults to the
+      region input if empty.'
+  azureStorageType:
+    required: false
+    default: 'azure-files'
+    description:
+      '[Orchestrator] [Experimental] Storage type for Azure Container Instances. Options: azure-files (SMB file share
+      mount, up to 100 TiB, premium throughput), blob-copy (copy artifacts in/out via az storage blob, no mount
+      overhead), azure-files-nfs (NFS 4.1 file share mount, true POSIX, no SMB lock overhead), in-memory (emptyDir
+      tmpfs, fastest but volatile, size limited by container memory).'
+  azureStorageAccount:
+    required: false
+    default: ''
+    description:
+      '[Orchestrator] [Experimental] Azure Storage Account name. Used by azure-files, azure-files-nfs, and blob-copy
+      storage types.'
+  azureFileShareName:
+    required: false
+    default: 'unity-builds'
+    description:
+      '[Orchestrator] [Experimental] Azure File Share name within the storage account. Used by azure-files and
+      azure-files-nfs storage types. Supports up to 100 TiB per share.'
+  azureBlobContainer:
+    required: false
+    default: 'unity-builds'
+    description: '[Orchestrator] [Experimental] Azure Blob container name for blob-copy storage type.'
+  azureSubscriptionId:
+    required: false
+    default: ''
+    description: '[Orchestrator] [Experimental] Azure subscription ID. Falls back to AZURE_SUBSCRIPTION_ID env var.'
+  azureCpu:
+    required: false
+    default: '4'
+    description: '[Orchestrator] [Experimental] CPU cores for Azure Container Instances (1-16).'
+  azureMemoryGb:
+    required: false
+    default: '16'
+    description: '[Orchestrator] [Experimental] Memory in GB for Azure Container Instances (1-16).'
+  azureDiskSizeGb:
+    required: false
+    default: '100'
+    description:
+      '[Orchestrator] [Experimental] File share quota in GB for Azure Container Instances. Premium shares support up to
+      102400 GB (100 TiB).'
+  azureSubnetId:
+    required: false
+    default: ''
+    description: '[Orchestrator] [Experimental] Azure subnet resource ID for VNet-integrated Container Instances.'
 
 outputs:
   volume:

src/model/build-parameters.ts

@@ -107,6 +107,31 @@ class BuildParameters {
   public unityHubVersionOnMac!: string;
   public dockerWorkspacePath!: string;
 
+  // GCP Cloud Run (Experimental)
+  public gcpProject!: string;
+  public gcpRegion!: string;
+  public gcpStorageType!: string;
+  public gcpBucket!: string;
+  public gcpFilestoreIp!: string;
+  public gcpFilestoreShare!: string;
+  public gcpMachineType!: string;
+  public gcpDiskSizeGb!: string;
+  public gcpServiceAccount!: string;
+  public gcpVpcConnector!: string;
+
+  // Azure Container Instances (Experimental)
+  public azureResourceGroup!: string;
+  public azureLocation!: string;
+  public azureStorageType!: string;
+  public azureStorageAccount!: string;
+  public azureBlobContainer!: string;
+  public azureFileShareName!: string;
+  public azureSubscriptionId!: string;
+  public azureCpu!: string;
+  public azureMemoryGb!: string;
+  public azureDiskSizeGb!: string;
+  public azureSubnetId!: string;
+
   public static shouldUseRetainedWorkspaceMode(buildParameters: BuildParameters) {
     return buildParameters.maxRetainedWorkspaces > 0 && Orchestrator.lockedWorkspace !== ``;
   }
@@ -228,6 +253,27 @@ class BuildParameters {
       inputPullCommand: OrchestratorOptions.inputPullCommand,
       pullInputList: OrchestratorOptions.pullInputList,
       kubeStorageClass: OrchestratorOptions.kubeStorageClass,
+      gcpProject: Input.gcpProject,
+      gcpRegion: Input.gcpRegion,
+      gcpStorageType: Input.gcpStorageType,
+      gcpBucket: Input.gcpBucket,
+      gcpFilestoreIp: Input.gcpFilestoreIp,
+      gcpFilestoreShare: Input.gcpFilestoreShare,
+      gcpMachineType: Input.gcpMachineType,
+      gcpDiskSizeGb: Input.gcpDiskSizeGb,
+      gcpServiceAccount: Input.gcpServiceAccount,
+      gcpVpcConnector: Input.gcpVpcConnector,
+      azureResourceGroup: Input.azureResourceGroup,
+      azureLocation: Input.azureLocation,
+      azureStorageType: Input.azureStorageType,
+      azureStorageAccount: Input.azureStorageAccount,
+      azureBlobContainer: Input.azureBlobContainer,
+      azureFileShareName: Input.azureFileShareName,
+      azureSubscriptionId: Input.azureSubscriptionId,
+      azureCpu: Input.azureCpu,
+      azureMemoryGb: Input.azureMemoryGb,
+      azureDiskSizeGb: Input.azureDiskSizeGb,
+      azureSubnetId: Input.azureSubnetId,
       cacheKey: OrchestratorOptions.cacheKey,
       maxRetainedWorkspaces: Number.parseInt(OrchestratorOptions.maxRetainedWorkspaces),
       useLargePackages: OrchestratorOptions.useLargePackages,

src/model/input.ts

@@ -282,6 +282,92 @@ class Input {
     return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
   }
 
+  // GCP Cloud Run (Experimental)
+  static get gcpProject(): string {
+    return Input.getInput('gcpProject') ?? '';
+  }
+
+  static get gcpRegion(): string {
+    return Input.getInput('gcpRegion') ?? '';
+  }
+
+  static get gcpStorageType(): string {
+    return Input.getInput('gcpStorageType') ?? 'gcs-fuse';
+  }
+
+  static get gcpBucket(): string {
+    return Input.getInput('gcpBucket') ?? '';
+  }
+
+  static get gcpFilestoreIp(): string {
+    return Input.getInput('gcpFilestoreIp') ?? '';
+  }
+
+  static get gcpFilestoreShare(): string {
+    return Input.getInput('gcpFilestoreShare') ?? '/share1';
+  }
+
+  static get gcpMachineType(): string {
+    return Input.getInput('gcpMachineType') ?? 'e2-standard-4';
+  }
+
+  static get gcpDiskSizeGb(): string {
+    return Input.getInput('gcpDiskSizeGb') ?? '100';
+  }
+
+  static get gcpServiceAccount(): string {
+    return Input.getInput('gcpServiceAccount') ?? '';
+  }
+
+  static get gcpVpcConnector(): string {
+    return Input.getInput('gcpVpcConnector') ?? '';
+  }
+
+  // Azure Container Instances (Experimental)
+  static get azureResourceGroup(): string {
+    return Input.getInput('azureResourceGroup') ?? '';
+  }
+
+  static get azureLocation(): string {
+    return Input.getInput('azureLocation') ?? '';
+  }
+
+  static get azureStorageType(): string {
+    return Input.getInput('azureStorageType') ?? 'azure-files';
+  }
+
+  static get azureStorageAccount(): string {
+    return Input.getInput('azureStorageAccount') ?? '';
+  }
+
+  static get azureBlobContainer(): string {
+    return Input.getInput('azureBlobContainer') ?? 'unity-builds';
+  }
+
+  static get azureFileShareName(): string {
+    return Input.getInput('azureFileShareName') ?? 'unity-builds';
+  }
+
+  static get azureSubscriptionId(): string {
+    return Input.getInput('azureSubscriptionId') ?? '';
+  }
+
+  static get azureCpu(): string {
+    return Input.getInput('azureCpu') ?? '4';
+  }
+
+  static get azureMemoryGb(): string {
+    return Input.getInput('azureMemoryGb') ?? '16';
+  }
+
+  static get azureDiskSizeGb(): string {
+    return Input.getInput('azureDiskSizeGb') ?? '100';
+  }
+
+  static get azureSubnetId(): string {
+    return Input.getInput('azureSubnetId') ?? '';
+  }
+
   public static ToEnvVarFormat(input: string) {
     if (input.toUpperCase() === input) {
       return input;

src/model/orchestrator/options/orchestrator-options.ts

@@ -190,10 +190,6 @@ class OrchestratorOptions {
     return OrchestratorOptions.getInput('pullInputList')?.split(`,`) || [];
   }
 
-  static get secretSource(): string {
-    return OrchestratorOptions.getInput('secretSource') || '';
-  }
-
   static get inputPullCommand(): string {
     const value = OrchestratorOptions.getInput('inputPullCommand');
 

src/model/orchestrator/options/orchestrator-query-override.ts

@@ -1,9 +1,6 @@
-import * as core from '@actions/core';
 import Input from '../../input';
 import { GenericInputReader } from '../../input-readers/generic-input-reader';
 import OrchestratorOptions from './orchestrator-options';
-import { SecretSourceService, validateSecretKey } from '../services/secrets/secret-source-service';
-import OrchestratorLogger from '../services/core/orchestrator-logger';
 
 const formatFunction = (value: string, arguments_: any[]) => {
   for (const element of arguments_) {
@@ -16,6 +13,8 @@ const formatFunction = (value: string, arguments_: any[]) => {
 class OrchestratorQueryOverride {
   static queryOverrides: { [key: string]: string } | undefined;
 
+  // TODO accept premade secret sources or custom secret source definition yamls
+
   public static query(key: string, alternativeKey: string) {
     if (OrchestratorQueryOverride.queryOverrides && OrchestratorQueryOverride.queryOverrides[key] !== undefined) {
       return OrchestratorQueryOverride.queryOverrides[key];
@@ -50,62 +49,14 @@ class OrchestratorQueryOverride {
       throw new Error(`Should not be trying to run override query on ${query}`);
     }
 
-    // Validate the query key before interpolating it into a shell command
-    validateSecretKey(query);
-
-    const result = await GenericInputReader.Run(
+    return await GenericInputReader.Run(
       formatFunction(OrchestratorOptions.inputPullCommand, [{ key: 0, value: query }]),
     );
-
-    // Mask the fetched secret value so it does not appear in GitHub Actions logs
-    if (result && result.trim().length > 0) {
-      core.setSecret(result);
-    }
-
-    return result;
   }
 
-  /**
-   * Populate query overrides using either:
-   * 1. Premade/custom secret sources (via secretSource input), or
-   * 2. Shell command (via inputPullCommand, legacy approach)
-   *
-   * The secretSource input takes precedence if set. It supports:
-   * - Premade names: 'aws-secrets-manager', 'aws-parameter-store', 'gcp-secret-manager', 'azure-key-vault', 'env'
-   * - Custom commands: any string containing {0} placeholder
-   * - YAML file path: a path ending in .yml or .yaml containing custom source definitions
-   */
   public static async PopulateQueryOverrideInput() {
     const queries = OrchestratorOptions.pullInputList;
     OrchestratorQueryOverride.queryOverrides = {};
-
-    const secretSource = OrchestratorOptions.secretSource;
-
-    // Use SecretSourceService if secretSource is configured
-    if (secretSource) {
-      OrchestratorLogger.log(`Using secret source: ${secretSource}`);
-
-      // YAML file: load definitions and use the first source
-      if (secretSource.endsWith('.yml') || secretSource.endsWith('.yaml')) {
-        const definitions = SecretSourceService.loadFromYaml(secretSource);
-        if (definitions.length > 0) {
-          OrchestratorLogger.log(`Loaded ${definitions.length} secret source(s) from ${secretSource}`);
-          for (const key of queries) {
-            OrchestratorQueryOverride.queryOverrides[key] = await SecretSourceService.fetchSecret(definitions[0], key);
-          }
-        }
-
-        return;
-      }
-
-      // Premade or custom command source
-      const results = await SecretSourceService.fetchAll(secretSource, queries);
-      Object.assign(OrchestratorQueryOverride.queryOverrides, results);
-
-      return;
-    }
-
-    // Legacy: use inputPullCommand if set
     for (const element of queries) {
       if (OrchestratorQueryOverride.shouldUseOverride(element)) {
         OrchestratorQueryOverride.queryOverrides[element] = await OrchestratorQueryOverride.queryOverride(element);

src/model/orchestrator/orchestrator.ts

@@ -13,6 +13,8 @@ import OrchestratorEnvironmentVariable from './options/orchestrator-environment-
 import TestOrchestrator from './providers/test';
 import LocalOrchestrator from './providers/local';
 import LocalDockerOrchestrator from './providers/docker';
+import GcpCloudRunProvider from './providers/gcp-cloud-run';
+import AzureAciProvider from './providers/azure-aci';
 import loadProvider from './providers/provider-loader';
 import GitHub from '../github';
 import SharedWorkspaceLocking from './services/core/shared-workspace-locking';
@@ -158,6 +160,14 @@ class Orchestrator {
       case 'local':
         Orchestrator.Provider = new LocalOrchestrator();
         break;
+      case 'gcp-cloud-run':
+        OrchestratorLogger.log('⚠ EXPERIMENTAL: GCP Cloud Run Jobs provider');
+        Orchestrator.Provider = new GcpCloudRunProvider(Orchestrator.buildParameters);
+        break;
+      case 'azure-aci':
+        OrchestratorLogger.log('⚠ EXPERIMENTAL: Azure Container Instances provider');
+        Orchestrator.Provider = new AzureAciProvider(Orchestrator.buildParameters);
+        break;
       default:
         // Try to load provider using the dynamic loader for unknown providers
         try {

src/model/orchestrator/providers/azure-aci/index.ts

@@ -0,0 +1,536 @@
+/**
+ * Azure Container Instances (ACI) Provider (Experimental)
+ *
+ * Executes Unity builds as Azure Container Instances with configurable storage backends.
+ *
+ * Storage types:
+ *   - azure-files:     SMB file share mount via Azure Files. Up to 100 TiB per share,
+ *                       premium throughput. Default.
+ *                       Requires: azureStorageAccount, azureFileShareName
+ *   - blob-copy:       Copy artifacts in/out of Azure Blob Storage before/after the build.
+ *                       No mount overhead, simpler.
+ *                       Requires: azureStorageAccount, azureBlobContainer
+ *   - azure-files-nfs: NFS 4.1 file share mount. True POSIX semantics, no SMB lock overhead,
+ *                       better for Unity Library caching (many small random reads).
+ *                       Requires: azureStorageAccount, azureFileShareName, Premium FileStorage,
+ *                       VNet integration (azureSubnetId)
+ *   - in-memory:       emptyDir volume (tmpfs). Fastest I/O but volatile, size limited by
+ *                       container memory allocation.
+ *
+ * Prerequisites:
+ *   - Azure CLI authenticated (az login or service principal)
+ *   - A resource group for build resources
+ *   - Contributor role on the resource group
+ *
+ * @experimental This provider is experimental. APIs and behavior may change.
+ */
+
+import { ProviderInterface } from '../provider-interface';
+import BuildParameters from '../../../build-parameters';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import OrchestratorEnvironmentVariable from '../../options/orchestrator-environment-variable';
+import OrchestratorSecret from '../../options/orchestrator-secret';
+import { ProviderResource } from '../provider-resource';
+import { ProviderWorkflow } from '../provider-workflow';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import { Input } from '../../..';
+import ResourceTracking from '../../services/core/resource-tracking';
+
+type AzureStorageType = 'azure-files' | 'blob-copy' | 'azure-files-nfs' | 'in-memory';
+
+class AzureAciProvider implements ProviderInterface {
+  private readonly resourceGroup: string;
+  private readonly location: string;
+  private readonly storageType: AzureStorageType;
+  private readonly storageAccount: string;
+  private readonly blobContainer: string;
+  private readonly fileShareName: string;
+  private readonly subscriptionId: string;
+  private readonly cpu: number;
+  private readonly memoryGb: number;
+  private readonly diskSizeGb: number;
+  private readonly subnetId: string;
+  private buildParameters: BuildParameters;
+
+  constructor(buildParameters: BuildParameters) {
+    this.buildParameters = buildParameters;
+    this.resourceGroup = buildParameters.azureResourceGroup || process.env.AZURE_RESOURCE_GROUP || '';
+    this.location = buildParameters.azureLocation || Input.region || 'eastus';
+    this.storageType = (buildParameters.azureStorageType || 'azure-files') as AzureStorageType;
+    this.storageAccount = buildParameters.azureStorageAccount || process.env.AZURE_STORAGE_ACCOUNT || '';
+    this.blobContainer = buildParameters.azureBlobContainer || 'unity-builds';
+    this.fileShareName = buildParameters.azureFileShareName || 'unity-builds';
+    this.subscriptionId = buildParameters.azureSubscriptionId || process.env.AZURE_SUBSCRIPTION_ID || '';
+    this.cpu = Number.parseInt(buildParameters.azureCpu || '4', 10);
+    this.memoryGb = Number.parseInt(buildParameters.azureMemoryGb || '16', 10);
+    this.diskSizeGb = Number.parseInt(buildParameters.azureDiskSizeGb || '100', 10);
+    this.subnetId = buildParameters.azureSubnetId || '';
+
+    OrchestratorLogger.log('[Azure ACI] Provider initialized (EXPERIMENTAL)');
+    OrchestratorLogger.log(`[Azure ACI] Resource Group: ${this.resourceGroup || '(not set)'}`);
+    OrchestratorLogger.log(`[Azure ACI] Location: ${this.location}`);
+    OrchestratorLogger.log(`[Azure ACI] Storage: ${this.storageType}`);
+    OrchestratorLogger.log(`[Azure ACI] Resources: ${this.cpu} CPU, ${this.memoryGb}GB RAM`);
+
+    this.validateStorageConfig();
+  }
+
+  private validateStorageConfig(): void {
+    switch (this.storageType) {
+      case 'azure-files':
+        if (!this.storageAccount) {
+          OrchestratorLogger.logWarning(
+            '[Azure ACI] Storage type "azure-files" requires azureStorageAccount to be set.',
+          );
+        } else {
+          OrchestratorLogger.log(`[Azure ACI] File Share: ${this.storageAccount}/${this.fileShareName} (SMB)`);
+        }
+        break;
+      case 'azure-files-nfs':
+        if (!this.storageAccount) {
+          OrchestratorLogger.logWarning(
+            '[Azure ACI] Storage type "azure-files-nfs" requires azureStorageAccount (Premium FileStorage).',
+          );
+        }
+        if (!this.subnetId) {
+          OrchestratorLogger.logWarning('[Azure ACI] NFS file shares require VNet integration. Set azureSubnetId.');
+        } else {
+          OrchestratorLogger.log(`[Azure ACI] File Share: ${this.storageAccount}/${this.fileShareName} (NFS 4.1)`);
+        }
+        break;
+      case 'blob-copy':
+        if (!this.storageAccount) {
+          OrchestratorLogger.logWarning('[Azure ACI] Storage type "blob-copy" requires azureStorageAccount to be set.');
+        } else {
+          OrchestratorLogger.log(`[Azure ACI] Blob container: ${this.storageAccount}/${this.blobContainer}`);
+        }
+        break;
+      case 'in-memory':
+        OrchestratorLogger.log(
+          `[Azure ACI] In-memory volume (emptyDir): limited by ${this.memoryGb}GB container memory`,
+        );
+        break;
+      default:
+        OrchestratorLogger.logWarning(
+          `[Azure ACI] Unknown storage type '${this.storageType}'. Valid: azure-files, blob-copy, azure-files-nfs, in-memory`,
+        );
+    }
+
+    if (!this.resourceGroup) {
+      OrchestratorLogger.logWarning(
+        '[Azure ACI] No resource group specified. Set azureResourceGroup input or AZURE_RESOURCE_GROUP env var.',
+      );
+    }
+  }
+
+  async setupWorkflow(
+    buildGuid: string,
+    buildParameters: BuildParameters,
+    branchName: string,
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ) {
+    OrchestratorLogger.log(`[Azure ACI] Setting up workflow for build ${buildGuid}`);
+    ResourceTracking.logAllocationSummary('azure-aci setup');
+
+    // Verify Azure CLI is available
+    try {
+      await OrchestratorSystem.Run('az version --output json', false, true);
+      OrchestratorLogger.log('[Azure ACI] Azure CLI detected');
+    } catch {
+      throw new Error(
+        '[Azure ACI] Azure CLI not found. Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli',
+      );
+    }
+
+    if (this.subscriptionId) {
+      await OrchestratorSystem.Run(`az account set --subscription="${this.subscriptionId}"`);
+    }
+
+    // Ensure resource group exists
+    if (this.resourceGroup) {
+      try {
+        await OrchestratorSystem.Run(`az group show --name "${this.resourceGroup}" --output json`, false, true);
+        OrchestratorLogger.log(`[Azure ACI] Resource group ${this.resourceGroup} exists`);
+      } catch {
+        OrchestratorLogger.log(`[Azure ACI] Creating resource group ${this.resourceGroup}`);
+        await OrchestratorSystem.Run(`az group create --name "${this.resourceGroup}" --location "${this.location}"`);
+      }
+    }
+
+    // Storage-specific setup
+    switch (this.storageType) {
+      case 'azure-files':
+        await this.setupStorageAccount('Standard_LRS', 'StorageV2');
+        await this.setupFileShare();
+        break;
+      case 'azure-files-nfs':
+        await this.setupStorageAccount('Premium_LRS', 'FileStorage');
+        await this.setupNfsFileShare();
+        break;
+      case 'blob-copy':
+        await this.setupStorageAccount('Standard_LRS', 'StorageV2');
+        await this.setupBlobContainer();
+        break;
+      case 'in-memory':
+        // No storage setup needed
+        break;
+    }
+  }
+
+  private async setupStorageAccount(sku: string, kind: string): Promise<void> {
+    if (!this.storageAccount || !this.resourceGroup) return;
+
+    try {
+      await OrchestratorSystem.Run(
+        `az storage account show --name "${this.storageAccount}" --resource-group "${this.resourceGroup}" --output json`,
+        false,
+        true,
+      );
+      OrchestratorLogger.log(`[Azure ACI] Storage account ${this.storageAccount} exists`);
+    } catch {
+      OrchestratorLogger.log(`[Azure ACI] Creating storage account ${this.storageAccount} (${sku}, ${kind})`);
+      await OrchestratorSystem.Run(
+        `az storage account create --name "${this.storageAccount}" --resource-group "${this.resourceGroup}" --location "${this.location}" --sku ${sku} --kind ${kind}`,
+      );
+    }
+  }
+
+  private async setupFileShare(): Promise<void> {
+    if (!this.storageAccount || !this.resourceGroup) return;
+    try {
+      await OrchestratorSystem.Run(
+        `az storage share-rm show --storage-account "${this.storageAccount}" --name "${this.fileShareName}" --resource-group "${this.resourceGroup}" --output json`,
+        false,
+        true,
+      );
+    } catch {
+      OrchestratorLogger.log(`[Azure ACI] Creating file share ${this.fileShareName} (${this.diskSizeGb}GB)`);
+      await OrchestratorSystem.Run(
+        `az storage share-rm create --storage-account "${this.storageAccount}" --name "${this.fileShareName}" --resource-group "${this.resourceGroup}" --quota ${this.diskSizeGb}`,
+      );
+    }
+  }
+
+  private async setupNfsFileShare(): Promise<void> {
+    if (!this.storageAccount || !this.resourceGroup) return;
+    try {
+      await OrchestratorSystem.Run(
+        `az storage share-rm show --storage-account "${this.storageAccount}" --name "${this.fileShareName}" --resource-group "${this.resourceGroup}" --output json`,
+        false,
+        true,
+      );
+    } catch {
+      OrchestratorLogger.log(`[Azure ACI] Creating NFS file share ${this.fileShareName} (${this.diskSizeGb}GB)`);
+      await OrchestratorSystem.Run(
+        `az storage share-rm create --storage-account "${this.storageAccount}" --name "${this.fileShareName}" --resource-group "${this.resourceGroup}" --quota ${this.diskSizeGb} --enabled-protocols NFS`,
+      );
+    }
+  }
+
+  private async setupBlobContainer(): Promise<void> {
+    if (!this.storageAccount || !this.resourceGroup) return;
+    try {
+      await OrchestratorSystem.Run(
+        `az storage container show --name "${this.blobContainer}" --account-name "${this.storageAccount}" --output json`,
+        false,
+        true,
+      );
+    } catch {
+      OrchestratorLogger.log(`[Azure ACI] Creating blob container ${this.blobContainer}`);
+      await OrchestratorSystem.Run(
+        `az storage container create --name "${this.blobContainer}" --account-name "${this.storageAccount}"`,
+      );
+    }
+  }
+
+  private async getStorageKey(): Promise<string> {
+    if (!this.storageAccount || !this.resourceGroup) return '';
+    try {
+      const keyJson = await OrchestratorSystem.Run(
+        `az storage account keys list --account-name "${this.storageAccount}" --resource-group "${this.resourceGroup}" --output json`,
+        false,
+        true,
+      );
+      const keys = JSON.parse(keyJson);
+      return keys[0]?.value || '';
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`[Azure ACI] Could not get storage key: ${error.message}`);
+      return '';
+    }
+  }
+
+  private async buildVolumeFlags(mountdir: string): Promise<string> {
+    switch (this.storageType) {
+      case 'azure-files': {
+        const storageKey = await this.getStorageKey();
+        if (!storageKey) return '';
+        return [
+          `--azure-file-volume-account-name "${this.storageAccount}"`,
+          `--azure-file-volume-account-key "${storageKey}"`,
+          `--azure-file-volume-share-name "${this.fileShareName}"`,
+          `--azure-file-volume-mount-path "${mountdir}"`,
+        ].join(' ');
+      }
+
+      case 'azure-files-nfs': {
+        // ACI NFS mount uses a YAML deployment template; for CLI we use the same
+        // azure-file-volume flags but the share must be NFS-enabled and
+        // the container must be in a VNet
+        const storageKey = await this.getStorageKey();
+        if (!storageKey) return '';
+        return [
+          `--azure-file-volume-account-name "${this.storageAccount}"`,
+          `--azure-file-volume-account-key "${storageKey}"`,
+          `--azure-file-volume-share-name "${this.fileShareName}"`,
+          `--azure-file-volume-mount-path "${mountdir}"`,
+        ].join(' ');
+      }
+
+      case 'in-memory':
+        // ACI emptyDir volumes require YAML deployment; for simplicity we skip
+        // the volume mount and let the container use its own filesystem
+        OrchestratorLogger.log('[Azure ACI] In-memory mode: using container filesystem (no persistent mount)');
+        return '';
+
+      case 'blob-copy':
+        // No volume mount — artifacts are copied in/out via az storage blob commands
+        return '';
+
+      default:
+        return '';
+    }
+  }
+
+  async runTaskInWorkflow(
+    buildGuid: string,
+    image: string,
+    commands: string,
+    mountdir: string,
+    workingdir: string,
+    environment: OrchestratorEnvironmentVariable[],
+    secrets: OrchestratorSecret[],
+  ): Promise<string> {
+    OrchestratorLogger.log(`[Azure ACI] Running task for build ${buildGuid}`);
+    ResourceTracking.logAllocationSummary('azure-aci task');
+
+    const containerName = `unity-build-${buildGuid}`
+      .toLowerCase()
+      .replace(/[^a-z0-9-]/g, '-')
+      .slice(0, 63);
+
+    // Build environment variable flags
+    const allEnvVars = [
+      ...environment.map((env) => `${env.name}=${env.value}`),
+      ...secrets.map((s) => `${s.EnvironmentVariable}=${s.ParameterValue}`),
+    ];
+    const envFlag = allEnvVars.length > 0 ? `--environment-variables ${allEnvVars.map((e) => `"${e}"`).join(' ')}` : '';
+
+    // Build volume flags based on storage type
+    const volumeFlags = await this.buildVolumeFlags(mountdir);
+
+    const subnetFlag = this.subnetId ? `--subnet "${this.subnetId}"` : '';
+
+    // For blob-copy, wrap the user command with copy-in/copy-out steps
+    let effectiveCommands = commands;
+    if (this.storageType === 'blob-copy' && this.storageAccount && commands) {
+      effectiveCommands = [
+        `az storage blob download-batch --destination "${mountdir}" --source "${this.blobContainer}" --account-name "${this.storageAccount}" 2>/dev/null || true`,
+        commands,
+        `az storage blob upload-batch --source "${mountdir}" --destination "${this.blobContainer}" --account-name "${this.storageAccount}" --overwrite`,
+      ].join(' && ');
+    }
+
+    const commandFlag = effectiveCommands
+      ? `--command-line "/bin/sh -c '${effectiveCommands.replace(/'/g, "'\\''")}'"`
+      : '';
+
+    const createCmd = [
+      'az container create',
+      `--resource-group "${this.resourceGroup}"`,
+      `--name "${containerName}"`,
+      `--image "${image}"`,
+      `--location "${this.location}"`,
+      `--cpu ${this.cpu}`,
+      `--memory ${this.memoryGb}`,
+      '--restart-policy Never',
+      '--os-type Linux',
+      volumeFlags,
+      envFlag,
+      subnetFlag,
+      commandFlag,
+      '--output json',
+    ]
+      .filter(Boolean)
+      .join(' ');
+
+    try {
+      await OrchestratorSystem.Run(createCmd);
+      OrchestratorLogger.log(
+        `[Azure ACI] Container ${containerName} created (storage: ${this.storageType}), waiting for completion...`,
+      );
+    } catch (error: any) {
+      throw new Error(`[Azure ACI] Failed to create container: ${error.message}`);
+    }
+
+    const output = await this.waitForContainerCompletion(containerName);
+    return output;
+  }
+
+  private async waitForContainerCompletion(containerName: string): Promise<string> {
+    const maxWaitMs = 24 * 60 * 60 * 1000;
+    const pollIntervalMs = 15_000;
+    const startTime = Date.now();
+    let lastLogLength = 0;
+
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const stateJson = await OrchestratorSystem.Run(
+          `az container show --resource-group "${this.resourceGroup}" --name "${containerName}" --output json`,
+          false,
+          true,
+        );
+
+        const state = JSON.parse(stateJson);
+        const containerState =
+          state.containers?.[0]?.instanceView?.currentState?.state || state.instanceView?.state || 'Unknown';
+        const provisioningState = state.provisioningState || 'Unknown';
+
+        // Stream logs incrementally
+        try {
+          const logs = await OrchestratorSystem.Run(
+            `az container logs --resource-group "${this.resourceGroup}" --name "${containerName}"`,
+            false,
+            true,
+          );
+          if (logs && logs.length > lastLogLength) {
+            const newLogs = logs.slice(lastLogLength);
+            for (const line of newLogs.split('\n')) {
+              if (line.trim()) {
+                OrchestratorLogger.log(`[Build] ${line}`);
+              }
+            }
+            lastLogLength = logs.length;
+          }
+        } catch {
+          // Logs may not be available yet
+        }
+
+        if (containerState === 'Terminated' || provisioningState === 'Succeeded') {
+          const exitCode = state.containers?.[0]?.instanceView?.currentState?.exitCode;
+          if (exitCode !== undefined && exitCode !== 0) {
+            throw new Error(`[Azure ACI] Container exited with code ${exitCode}`);
+          }
+          OrchestratorLogger.log('[Azure ACI] Container completed successfully');
+          try {
+            return await OrchestratorSystem.Run(
+              `az container logs --resource-group "${this.resourceGroup}" --name "${containerName}"`,
+              false,
+              true,
+            );
+          } catch {
+            return '';
+          }
+        }
+
+        if (provisioningState === 'Failed') {
+          const detail =
+            state.containers?.[0]?.instanceView?.currentState?.detailStatus ||
+            state.containers?.[0]?.instanceView?.events?.map((e: any) => e.message).join('; ') ||
+            'Unknown error';
+          throw new Error(`[Azure ACI] Container provisioning failed: ${detail}`);
+        }
+      } catch (error: any) {
+        if (error.message?.includes('Container provisioning failed') || error.message?.includes('exited with code')) {
+          throw error;
+        }
+        OrchestratorLogger.logWarning(`[Azure ACI] Polling error: ${error.message}`);
+      }
+
+      await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+    }
+
+    throw new Error('[Azure ACI] Container execution timed out after 24 hours');
+  }
+
+  async cleanupWorkflow(
+    buildParameters: BuildParameters,
+    branchName: string,
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ) {
+    OrchestratorLogger.log('[Azure ACI] Cleaning up workflow');
+  }
+
+  async garbageCollect(
+    filter: string,
+    previewOnly: boolean,
+    olderThan: Number,
+    fullCache: boolean,
+    baseDependencies: boolean,
+  ): Promise<string> {
+    OrchestratorLogger.log('[Azure ACI] Garbage collecting old container groups');
+
+    try {
+      const containersJson = await OrchestratorSystem.Run(
+        `az container list --resource-group "${this.resourceGroup}" --output json`,
+        false,
+        true,
+      );
+
+      const containers = JSON.parse(containersJson || '[]');
+      const cutoffDate = new Date();
+      cutoffDate.setDate(cutoffDate.getDate() - Number(olderThan));
+
+      let deletedCount = 0;
+      for (const container of containers) {
+        const name = container.name || '';
+        if (!name.startsWith('unity-build-')) continue;
+
+        const createdAt = new Date(container.tags?.createdAt || container.properties?.provisioningState || 0);
+        const state = container.containers?.[0]?.instanceView?.currentState?.state || '';
+
+        if (state === 'Terminated' || createdAt < cutoffDate) {
+          if (previewOnly) {
+            OrchestratorLogger.log(`[Azure ACI] Would delete: ${name}`);
+          } else {
+            await OrchestratorSystem.Run(
+              `az container delete --resource-group "${this.resourceGroup}" --name "${name}" --yes`,
+            );
+            deletedCount++;
+          }
+        }
+      }
+
+      return `Garbage collected ${deletedCount} Azure container instances`;
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`[Azure ACI] Garbage collection failed: ${error.message}`);
+      return '';
+    }
+  }
+
+  async listResources(): Promise<ProviderResource[]> {
+    try {
+      const containersJson = await OrchestratorSystem.Run(
+        `az container list --resource-group "${this.resourceGroup}" --output json`,
+        false,
+        true,
+      );
+
+      const containers = JSON.parse(containersJson || '[]');
+      return containers
+        .filter((c: any) => (c.name || '').startsWith('unity-build-'))
+        .map((c: any) => ({ Name: c.name || '' }));
+    } catch {
+      return [];
+    }
+  }
+
+  listWorkflow(): Promise<ProviderWorkflow[]> {
+    throw new Error('[Azure ACI] listWorkflow not implemented for this experimental provider');
+  }
+
+  async watchWorkflow(): Promise<string> {
+    throw new Error('[Azure ACI] watchWorkflow not implemented for this experimental provider');
+  }
+}
+
+export default AzureAciProvider;

src/model/orchestrator/providers/gcp-cloud-run/index.ts

@@ -0,0 +1,435 @@
+/**
+ * Google Cloud Run Jobs Provider (Experimental)
+ *
+ * Executes Unity builds as Cloud Run Jobs with configurable storage backends.
+ *
+ * Storage types:
+ *   - gcs-fuse:   Mount a GCS bucket as a POSIX filesystem via GCS FUSE sidecar.
+ *                  Unlimited size, best for large sequential reads/writes.
+ *                  Requires: gcpBucket
+ *   - gcs-copy:   Copy artifacts in/out of GCS before/after the build via gsutil.
+ *                  No mount overhead, simpler, works everywhere.
+ *                  Requires: gcpBucket
+ *   - nfs:        Mount a Filestore NFS share. True POSIX semantics, good random I/O,
+ *                  up to 100 TiB. Best for Library caching (many small random reads).
+ *                  Requires: gcpFilestoreIp, gcpFilestoreShare
+ *   - in-memory:  tmpfs volume (emptyDir). Fastest I/O but volatile and limited to 32 GiB.
+ *                  Good for scratch/temp space during builds.
+ *
+ * Prerequisites:
+ *   - Google Cloud SDK authenticated (GOOGLE_APPLICATION_CREDENTIALS or gcloud auth)
+ *   - Cloud Run Jobs API enabled
+ *   - Service account with roles: Cloud Run Admin, Storage Admin, Logs Viewer
+ *
+ * @experimental This provider is experimental. APIs and behavior may change.
+ */
+
+import { ProviderInterface } from '../provider-interface';
+import BuildParameters from '../../../build-parameters';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import OrchestratorEnvironmentVariable from '../../options/orchestrator-environment-variable';
+import OrchestratorSecret from '../../options/orchestrator-secret';
+import { ProviderResource } from '../provider-resource';
+import { ProviderWorkflow } from '../provider-workflow';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import { Input } from '../../..';
+import ResourceTracking from '../../services/core/resource-tracking';
+
+type GcpStorageType = 'gcs-fuse' | 'gcs-copy' | 'nfs' | 'in-memory';
+
+class GcpCloudRunProvider implements ProviderInterface {
+  private readonly project: string;
+  private readonly region: string;
+  private readonly storageType: GcpStorageType;
+  private readonly bucket: string;
+  private readonly filestoreIp: string;
+  private readonly filestoreShare: string;
+  private readonly machineType: string;
+  private readonly diskSizeGb: number;
+  private readonly serviceAccount: string;
+  private readonly vpcConnector: string;
+  private buildParameters: BuildParameters;
+
+  constructor(buildParameters: BuildParameters) {
+    this.buildParameters = buildParameters;
+    this.project = buildParameters.gcpProject || process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT || '';
+    this.region = buildParameters.gcpRegion || Input.region || 'us-central1';
+    this.storageType = (buildParameters.gcpStorageType || 'gcs-fuse') as GcpStorageType;
+    this.bucket = buildParameters.gcpBucket || '';
+    this.filestoreIp = buildParameters.gcpFilestoreIp || '';
+    this.filestoreShare = buildParameters.gcpFilestoreShare || '/share1';
+    this.machineType = buildParameters.gcpMachineType || 'e2-standard-4';
+    this.diskSizeGb = Number.parseInt(buildParameters.gcpDiskSizeGb || '100', 10);
+    this.serviceAccount = buildParameters.gcpServiceAccount || '';
+    this.vpcConnector = buildParameters.gcpVpcConnector || '';
+
+    OrchestratorLogger.log('[GCP Cloud Run] Provider initialized (EXPERIMENTAL)');
+    OrchestratorLogger.log(`[GCP Cloud Run] Project: ${this.project || '(auto-detect)'}`);
+    OrchestratorLogger.log(`[GCP Cloud Run] Region: ${this.region}`);
+    OrchestratorLogger.log(`[GCP Cloud Run] Storage: ${this.storageType}`);
+
+    this.validateStorageConfig();
+  }
+
+  private validateStorageConfig(): void {
+    switch (this.storageType) {
+      case 'gcs-fuse':
+      case 'gcs-copy':
+        if (!this.bucket) {
+          OrchestratorLogger.logWarning(
+            `[GCP Cloud Run] Storage type '${this.storageType}' requires gcpBucket to be set.`,
+          );
+        } else {
+          OrchestratorLogger.log(`[GCP Cloud Run] Bucket: gs://${this.bucket}`);
+        }
+        break;
+      case 'nfs':
+        if (!this.filestoreIp) {
+          OrchestratorLogger.logWarning('[GCP Cloud Run] Storage type "nfs" requires gcpFilestoreIp to be set.');
+        } else {
+          OrchestratorLogger.log(`[GCP Cloud Run] Filestore: ${this.filestoreIp}:${this.filestoreShare}`);
+        }
+        if (!this.vpcConnector) {
+          OrchestratorLogger.logWarning(
+            '[GCP Cloud Run] NFS storage usually requires gcpVpcConnector for private network access to Filestore.',
+          );
+        }
+        break;
+      case 'in-memory':
+        OrchestratorLogger.log(`[GCP Cloud Run] In-memory volume: ${Math.min(this.diskSizeGb, 32)} GiB (max 32)`);
+        break;
+      default:
+        OrchestratorLogger.logWarning(
+          `[GCP Cloud Run] Unknown storage type '${this.storageType}'. Valid: gcs-fuse, gcs-copy, nfs, in-memory`,
+        );
+    }
+
+    if (!this.project) {
+      OrchestratorLogger.logWarning(
+        '[GCP Cloud Run] No project specified. Set gcpProject input or GOOGLE_CLOUD_PROJECT env var.',
+      );
+    }
+  }
+
+  async setupWorkflow(
+    buildGuid: string,
+    buildParameters: BuildParameters,
+    branchName: string,
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ) {
+    OrchestratorLogger.log(`[GCP Cloud Run] Setting up workflow for build ${buildGuid}`);
+    ResourceTracking.logAllocationSummary('gcp-cloud-run setup');
+
+    // Verify gcloud CLI is available
+    try {
+      await OrchestratorSystem.Run('gcloud --version', false, true);
+      OrchestratorLogger.log('[GCP Cloud Run] gcloud CLI detected');
+    } catch {
+      throw new Error(
+        '[GCP Cloud Run] gcloud CLI not found. Install Google Cloud SDK: https://cloud.google.com/sdk/docs/install',
+      );
+    }
+
+    // Verify Cloud Run Jobs API is enabled
+    try {
+      const projectFlag = this.project ? `--project=${this.project}` : '';
+      await OrchestratorSystem.Run(
+        `gcloud services list --enabled --filter="name:run.googleapis.com" ${projectFlag} --format="value(name)"`,
+        false,
+        true,
+      );
+    } catch {
+      OrchestratorLogger.logWarning(
+        '[GCP Cloud Run] Could not verify Cloud Run API status. Ensure run.googleapis.com is enabled.',
+      );
+    }
+
+    // Storage-specific setup
+    if ((this.storageType === 'gcs-fuse' || this.storageType === 'gcs-copy') && this.bucket) {
+      await this.ensureBucketExists();
+    }
+  }
+
+  private async ensureBucketExists(): Promise<void> {
+    try {
+      await OrchestratorSystem.Run(
+        `gcloud storage buckets describe gs://${this.bucket} --format="value(name)"`,
+        false,
+        true,
+      );
+      OrchestratorLogger.log(`[GCP Cloud Run] Bucket gs://${this.bucket} exists`);
+    } catch {
+      OrchestratorLogger.log(`[GCP Cloud Run] Creating bucket gs://${this.bucket}`);
+      const projectFlag = this.project ? `--project=${this.project}` : '';
+      await OrchestratorSystem.Run(
+        `gcloud storage buckets create gs://${this.bucket} --location=${this.region} ${projectFlag}`,
+      );
+    }
+  }
+
+  private buildVolumeFlags(mountdir: string): { volumeFlags: string; mountFlags: string } {
+    switch (this.storageType) {
+      case 'gcs-fuse':
+        if (!this.bucket) return { volumeFlags: '', mountFlags: '' };
+        return {
+          volumeFlags: `--add-volume=name=gcs-fuse,type=cloud-storage,bucket=${this.bucket}`,
+          mountFlags: `--add-volume-mount=volume=gcs-fuse,mount-path=${mountdir}`,
+        };
+
+      case 'nfs':
+        if (!this.filestoreIp) return { volumeFlags: '', mountFlags: '' };
+        return {
+          volumeFlags: `--add-volume=name=nfs-vol,type=nfs,location=${this.filestoreIp}:${this.filestoreShare}`,
+          mountFlags: `--add-volume-mount=volume=nfs-vol,mount-path=${mountdir}`,
+        };
+
+      case 'in-memory': {
+        const sizeGib = Math.min(this.diskSizeGb, 32);
+        return {
+          volumeFlags: `--add-volume=name=tmpfs-vol,type=in-memory,size-limit=${sizeGib}Gi`,
+          mountFlags: `--add-volume-mount=volume=tmpfs-vol,mount-path=${mountdir}`,
+        };
+      }
+
+      case 'gcs-copy':
+        // No volume mount — artifacts are copied in/out via gsutil commands
+        return { volumeFlags: '', mountFlags: '' };
+
+      default:
+        return { volumeFlags: '', mountFlags: '' };
+    }
+  }
+
+  private async copyArtifactsIn(mountdir: string): Promise<void> {
+    if (this.storageType !== 'gcs-copy' || !this.bucket) return;
+    OrchestratorLogger.log(`[GCP Cloud Run] Copying artifacts from gs://${this.bucket} to ${mountdir}`);
+    try {
+      await OrchestratorSystem.Run(`gcloud storage cp -r "gs://${this.bucket}/*" "${mountdir}/" || true`, false, true);
+    } catch {
+      OrchestratorLogger.log('[GCP Cloud Run] No existing artifacts to restore (bucket may be empty)');
+    }
+  }
+
+  private async copyArtifactsOut(mountdir: string): Promise<void> {
+    if (this.storageType !== 'gcs-copy' || !this.bucket) return;
+    OrchestratorLogger.log(`[GCP Cloud Run] Uploading artifacts from ${mountdir} to gs://${this.bucket}`);
+    await OrchestratorSystem.Run(`gcloud storage cp -r "${mountdir}/*" "gs://${this.bucket}/"`, false, true);
+  }
+
+  async runTaskInWorkflow(
+    buildGuid: string,
+    image: string,
+    commands: string,
+    mountdir: string,
+    workingdir: string,
+    environment: OrchestratorEnvironmentVariable[],
+    secrets: OrchestratorSecret[],
+  ): Promise<string> {
+    OrchestratorLogger.log(`[GCP Cloud Run] Running task for build ${buildGuid}`);
+    ResourceTracking.logAllocationSummary('gcp-cloud-run task');
+
+    const jobName = `unity-build-${buildGuid}`
+      .toLowerCase()
+      .replace(/[^a-z0-9-]/g, '-')
+      .slice(0, 63);
+    const projectFlag = this.project ? `--project=${this.project}` : '';
+
+    // Build environment variable flags
+    const envFlags = environment
+      .map((env) => `${env.name}=${env.value}`)
+      .concat(secrets.map((s) => `${s.EnvironmentVariable}=${s.ParameterValue}`));
+    const envString = envFlags.length > 0 ? `--set-env-vars="${envFlags.join(',')}"` : '';
+
+    // Build storage volume flags
+    const { volumeFlags, mountFlags } = this.buildVolumeFlags(mountdir);
+
+    // For gcs-copy, wrap the user command with copy-in/copy-out steps
+    let effectiveCommands = commands;
+    if (this.storageType === 'gcs-copy' && this.bucket && commands) {
+      effectiveCommands = [
+        `gcloud storage cp -r "gs://${this.bucket}/*" "${mountdir}/" 2>/dev/null || true`,
+        commands,
+        `gcloud storage cp -r "${mountdir}/*" "gs://${this.bucket}/"`,
+      ].join(' && ');
+    }
+
+    const saFlag = this.serviceAccount ? `--service-account=${this.serviceAccount}` : '';
+    const vpcFlag = this.vpcConnector ? `--vpc-connector=${this.vpcConnector}` : '';
+
+    // Create the Cloud Run Job
+    const createCmd = [
+      'gcloud run jobs create',
+      jobName,
+      `--image=${image}`,
+      `--region=${this.region}`,
+      '--task-timeout=86400s',
+      '--max-retries=0',
+      '--cpu=4',
+      '--memory=16Gi',
+      volumeFlags,
+      mountFlags,
+      envString,
+      saFlag,
+      vpcFlag,
+      projectFlag,
+      '--format=json',
+      '--quiet',
+    ]
+      .filter(Boolean)
+      .join(' ');
+
+    try {
+      await OrchestratorSystem.Run(createCmd);
+      OrchestratorLogger.log(`[GCP Cloud Run] Job ${jobName} created`);
+    } catch (error: any) {
+      if (error.message?.includes('already exists')) {
+        OrchestratorLogger.log(`[GCP Cloud Run] Job ${jobName} already exists, updating...`);
+        const updateCmd = createCmd.replace('jobs create', 'jobs update');
+        await OrchestratorSystem.Run(updateCmd);
+      } else {
+        throw error;
+      }
+    }
+
+    // Override the command if provided
+    if (effectiveCommands) {
+      const updateCmd = [
+        'gcloud run jobs update',
+        jobName,
+        `--region=${this.region}`,
+        '--command="/bin/sh"',
+        `--args="-c,${effectiveCommands}"`,
+        projectFlag,
+        '--quiet',
+      ]
+        .filter(Boolean)
+        .join(' ');
+
+      await OrchestratorSystem.Run(updateCmd);
+    }
+
+    // Execute the job
+    OrchestratorLogger.log(`[GCP Cloud Run] Executing job ${jobName} (storage: ${this.storageType})...`);
+    const executeCmd = [
+      'gcloud run jobs execute',
+      jobName,
+      `--region=${this.region}`,
+      projectFlag,
+      '--wait',
+      '--format=json',
+      '--quiet',
+    ]
+      .filter(Boolean)
+      .join(' ');
+
+    let output = '';
+    try {
+      output = await OrchestratorSystem.Run(executeCmd);
+      OrchestratorLogger.log('[GCP Cloud Run] Job execution completed');
+    } catch (error: any) {
+      await this.streamJobLogs(jobName);
+      throw new Error(`[GCP Cloud Run] Job execution failed: ${error.message}`);
+    }
+
+    await this.streamJobLogs(jobName);
+    return output;
+  }
+
+  private async streamJobLogs(jobName: string): Promise<void> {
+    const projectFlag = this.project ? `--project=${this.project}` : '';
+    try {
+      const logs = await OrchestratorSystem.Run(
+        `gcloud logging read "resource.type=cloud_run_job AND resource.labels.job_name=${jobName}" ${projectFlag} --limit=1000 --format="value(textPayload)" --order=asc`,
+        false,
+        true,
+      );
+      if (logs) {
+        for (const line of logs.split('\n')) {
+          if (line.trim()) {
+            OrchestratorLogger.log(`[Build] ${line}`);
+          }
+        }
+      }
+    } catch {
+      OrchestratorLogger.logWarning('[GCP Cloud Run] Could not retrieve job logs');
+    }
+  }
+
+  async cleanupWorkflow(
+    buildParameters: BuildParameters,
+    branchName: string,
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ) {
+    OrchestratorLogger.log('[GCP Cloud Run] Cleaning up workflow');
+  }
+
+  async garbageCollect(
+    filter: string,
+    previewOnly: boolean,
+    olderThan: Number,
+    fullCache: boolean,
+    baseDependencies: boolean,
+  ): Promise<string> {
+    OrchestratorLogger.log('[GCP Cloud Run] Garbage collecting old jobs');
+    const projectFlag = this.project ? `--project=${this.project}` : '';
+
+    try {
+      const jobsJson = await OrchestratorSystem.Run(
+        `gcloud run jobs list --region=${this.region} ${projectFlag} --filter="metadata.name~unity-build-" --format="json(metadata.name,metadata.creationTimestamp)"`,
+        false,
+        true,
+      );
+
+      const jobs = JSON.parse(jobsJson || '[]');
+      const cutoffDate = new Date();
+      cutoffDate.setDate(cutoffDate.getDate() - Number(olderThan));
+
+      let deletedCount = 0;
+      for (const job of jobs) {
+        const createdAt = new Date(job.metadata?.creationTimestamp || 0);
+        if (createdAt < cutoffDate) {
+          const name = job.metadata?.name;
+          if (previewOnly) {
+            OrchestratorLogger.log(`[GCP Cloud Run] Would delete: ${name}`);
+          } else {
+            await OrchestratorSystem.Run(
+              `gcloud run jobs delete ${name} --region=${this.region} ${projectFlag} --quiet`,
+            );
+            deletedCount++;
+          }
+        }
+      }
+
+      return `Garbage collected ${deletedCount} Cloud Run jobs`;
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`[GCP Cloud Run] Garbage collection failed: ${error.message}`);
+      return '';
+    }
+  }
+
+  async listResources(): Promise<ProviderResource[]> {
+    const projectFlag = this.project ? `--project=${this.project}` : '';
+    try {
+      const jobsJson = await OrchestratorSystem.Run(
+        `gcloud run jobs list --region=${this.region} ${projectFlag} --filter="metadata.name~unity-build-" --format="json(metadata.name)"`,
+        false,
+        true,
+      );
+
+      const jobs = JSON.parse(jobsJson || '[]');
+      return jobs.map((job: any) => ({ Name: job.metadata?.name || '' }));
+    } catch {
+      return [];
+    }
+  }
+
+  listWorkflow(): Promise<ProviderWorkflow[]> {
+    throw new Error('[GCP Cloud Run] listWorkflow not implemented for this experimental provider');
+  }
+
+  async watchWorkflow(): Promise<string> {
+    throw new Error('[GCP Cloud Run] watchWorkflow not implemented for this experimental provider');
+  }
+}
+
+export default GcpCloudRunProvider;

src/model/orchestrator/providers/provider-loader.ts

@@ -62,6 +62,8 @@ export default async function loadProvider(
           'local-docker': './docker',
           'local-system': './local',
           local: './local',
+          'gcp-cloud-run': './gcp-cloud-run',
+          'azure-aci': './azure-aci',
         };
 
         modulePath = providerModuleMap[providerSource] || providerSource;
@@ -136,7 +138,7 @@ export class ProviderLoader {
    * @returns string[] - Array of available provider names
    */
   static getAvailableProviders(): string[] {
-    return ['aws', 'k8s', 'test', 'local-docker', 'local-system', 'local'];
+    return ['aws', 'k8s', 'test', 'local-docker', 'local-system', 'local', 'gcp-cloud-run', 'azure-aci'];
   }
 
   /**

src/model/orchestrator/services/secrets/secret-source-service.test.ts

@@ -1,446 +0,0 @@
-import fs from 'node:fs';
-import * as core from '@actions/core';
-import { SecretSourceService, validateSecretKey } from './secret-source-service';
-
-jest.mock('node:fs');
-jest.mock('@actions/core', () => ({
-  setSecret: jest.fn(),
-  info: jest.fn(),
-  warning: jest.fn(),
-  error: jest.fn(),
-}));
-jest.mock('../core/orchestrator-system', () => ({
-  OrchestratorSystem: {
-    Run: jest.fn().mockResolvedValue(''),
-  },
-}));
-jest.mock('../core/orchestrator-logger', () => ({
-  __esModule: true,
-  default: {
-    log: jest.fn(),
-    logWarning: jest.fn(),
-    error: jest.fn(),
-  },
-}));
-
-const mockFs = fs as jest.Mocked<typeof fs>;
-
-describe('SecretSourceService', () => {
-  beforeEach(() => {
-    jest.clearAllMocks();
-  });
-
-  describe('validateSecretKey', () => {
-    it('should accept alphanumeric keys', () => {
-      expect(validateSecretKey('MY_SECRET_KEY')).toBe('MY_SECRET_KEY');
-    });
-
-    it('should accept keys with hyphens', () => {
-      expect(validateSecretKey('my-secret-key')).toBe('my-secret-key');
-    });
-
-    it('should accept keys with dots', () => {
-      expect(validateSecretKey('my.secret.key')).toBe('my.secret.key');
-    });
-
-    it('should accept keys with forward slashes', () => {
-      expect(validateSecretKey('path/to/secret')).toBe('path/to/secret');
-    });
-
-    it('should accept keys with mixed valid characters', () => {
-      expect(validateSecretKey('my-app/prod_db.password')).toBe('my-app/prod_db.password');
-    });
-
-    it('should reject keys with semicolons (shell injection)', () => {
-      expect(() => validateSecretKey('; rm -rf /')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with backticks (command substitution)', () => {
-      expect(() => validateSecretKey('`whoami`')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with dollar signs (variable expansion)', () => {
-      expect(() => validateSecretKey('$HOME')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with pipe characters', () => {
-      expect(() => validateSecretKey('key | cat /etc/passwd')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with ampersands', () => {
-      expect(() => validateSecretKey('key && echo pwned')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with newlines', () => {
-      expect(() => validateSecretKey('key\nmalicious')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with quotes', () => {
-      expect(() => validateSecretKey('"key"')).toThrow('Invalid secret key name');
-      expect(() => validateSecretKey("'key'")).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with parentheses (subshell)', () => {
-      expect(() => validateSecretKey('$(whoami)')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject empty keys', () => {
-      expect(() => validateSecretKey('')).toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with spaces', () => {
-      expect(() => validateSecretKey('key with spaces')).toThrow('Invalid secret key name');
-    });
-  });
-
-  describe('isPremadeSource', () => {
-    it('should return true for aws-secrets-manager', () => {
-      expect(SecretSourceService.isPremadeSource('aws-secrets-manager')).toBe(true);
-    });
-
-    it('should return true for aws-secret-manager (legacy alias)', () => {
-      expect(SecretSourceService.isPremadeSource('aws-secret-manager')).toBe(true);
-    });
-
-    it('should return true for aws-parameter-store', () => {
-      expect(SecretSourceService.isPremadeSource('aws-parameter-store')).toBe(true);
-    });
-
-    it('should return true for gcp-secret-manager', () => {
-      expect(SecretSourceService.isPremadeSource('gcp-secret-manager')).toBe(true);
-    });
-
-    it('should return true for azure-key-vault', () => {
-      expect(SecretSourceService.isPremadeSource('azure-key-vault')).toBe(true);
-    });
-
-    it('should return true for hashicorp-vault', () => {
-      expect(SecretSourceService.isPremadeSource('hashicorp-vault')).toBe(true);
-    });
-
-    it('should return true for hashicorp-vault-kv1', () => {
-      expect(SecretSourceService.isPremadeSource('hashicorp-vault-kv1')).toBe(true);
-    });
-
-    it('should return true for vault (short alias)', () => {
-      expect(SecretSourceService.isPremadeSource('vault')).toBe(true);
-    });
-
-    it('should return false for unknown source', () => {
-      expect(SecretSourceService.isPremadeSource('unknown-source')).toBe(false);
-    });
-  });
-
-  describe('getAvailableSources', () => {
-    it('should return all premade source names', () => {
-      const sources = SecretSourceService.getAvailableSources();
-      expect(sources).toContain('aws-secrets-manager');
-      expect(sources).toContain('aws-parameter-store');
-      expect(sources).toContain('gcp-secret-manager');
-      expect(sources).toContain('azure-key-vault');
-      expect(sources).toContain('hashicorp-vault');
-      expect(sources).toContain('hashicorp-vault-kv1');
-      expect(sources).toContain('vault');
-      expect(sources.length).toBeGreaterThanOrEqual(8);
-    });
-  });
-
-  describe('resolveSource', () => {
-    it('should resolve premade source by name', () => {
-      const source = SecretSourceService.resolveSource('aws-secrets-manager');
-      expect(source).toBeDefined();
-      expect(source!.name).toBe('aws-secrets-manager');
-      expect(source!.command).toContain('secretsmanager');
-    });
-
-    it('should resolve custom command with {0} placeholder', () => {
-      const source = SecretSourceService.resolveSource('vault kv get -field=value secret/{0}');
-      expect(source).toBeDefined();
-      expect(source!.name).toBe('custom-command');
-      expect(source!.command).toContain('{0}');
-    });
-
-    it('should resolve command with spaces as custom command', () => {
-      const source = SecretSourceService.resolveSource('my-tool get-secret');
-      expect(source).toBeDefined();
-      expect(source!.name).toBe('custom-command');
-    });
-
-    it('should return undefined for unknown single-word source', () => {
-      const source = SecretSourceService.resolveSource('unknown');
-      expect(source).toBeUndefined();
-    });
-  });
-
-  describe('fetchSecret', () => {
-    it('should run the command with {0} replaced by key', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue('my-secret-value');
-
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-      const result = await SecretSourceService.fetchSecret(source, 'MY_SECRET');
-
-      expect(result).toBe('my-secret-value');
-      expect(OrchestratorSystem.Run).toHaveBeenCalledWith(expect.stringContaining('MY_SECRET'), false, true);
-    });
-
-    it('should parse JSON output when parseOutput is json-field', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue(JSON.stringify({ value: 'extracted-secret' }));
-
-      const source = {
-        name: 'test-source',
-        command: 'fetch {0}',
-        parseOutput: 'json-field' as const,
-        jsonField: 'value',
-      };
-      const result = await SecretSourceService.fetchSecret(source, 'KEY');
-
-      expect(result).toBe('extracted-secret');
-    });
-
-    it('should fall back to raw output on invalid JSON with json-field mode', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue('not-json');
-
-      const source = {
-        name: 'test-source',
-        command: 'fetch {0}',
-        parseOutput: 'json-field' as const,
-        jsonField: 'value',
-      };
-      const result = await SecretSourceService.fetchSecret(source, 'KEY');
-
-      expect(result).toBe('not-json');
-    });
-
-    it('should return empty string on command failure', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockRejectedValue(new Error('command not found'));
-
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-      const result = await SecretSourceService.fetchSecret(source, 'KEY');
-
-      expect(result).toBe('');
-    });
-
-    it('should reject keys with shell injection characters', async () => {
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-
-      await expect(SecretSourceService.fetchSecret(source, '; rm -rf /')).rejects.toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with command substitution', async () => {
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-
-      await expect(SecretSourceService.fetchSecret(source, '$(whoami)')).rejects.toThrow('Invalid secret key name');
-    });
-
-    it('should reject keys with backtick command substitution', async () => {
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-
-      await expect(SecretSourceService.fetchSecret(source, '`cat /etc/passwd`')).rejects.toThrow(
-        'Invalid secret key name',
-      );
-    });
-
-    it('should accept keys with valid path-like patterns', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue('secret-value');
-
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-      const result = await SecretSourceService.fetchSecret(source, 'prod/database/password');
-
-      expect(result).toBe('secret-value');
-    });
-
-    it('should mask fetched secret values with core.setSecret', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue('super-secret-value');
-
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-      await SecretSourceService.fetchSecret(source, 'MY_SECRET');
-
-      expect(core.setSecret).toHaveBeenCalledWith('super-secret-value');
-    });
-
-    it('should not mask empty secret values', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue('');
-
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-      await SecretSourceService.fetchSecret(source, 'MY_SECRET');
-
-      expect(core.setSecret).not.toHaveBeenCalled();
-    });
-
-    it('should mask JSON-extracted secret values', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValue(JSON.stringify({ value: 'json-secret' }));
-
-      const source = {
-        name: 'test-source',
-        command: 'fetch {0}',
-        parseOutput: 'json-field' as const,
-        jsonField: 'value',
-      };
-      await SecretSourceService.fetchSecret(source, 'KEY');
-
-      expect(core.setSecret).toHaveBeenCalledWith('json-secret');
-    });
-  });
-
-  describe('fetchFromEnv', () => {
-    it('should return env var value when set', () => {
-      process.env.TEST_SECRET_KEY = 'env-value';
-      const result = SecretSourceService.fetchFromEnv('TEST_SECRET_KEY');
-      expect(result).toBe('env-value');
-      delete process.env.TEST_SECRET_KEY;
-    });
-
-    it('should return empty string when env var is not set', () => {
-      const result = SecretSourceService.fetchFromEnv('NONEXISTENT_KEY_12345');
-      expect(result).toBe('');
-    });
-
-    it('should mask env var values with core.setSecret', () => {
-      process.env.TEST_MASK_KEY = 'masked-env-value';
-      SecretSourceService.fetchFromEnv('TEST_MASK_KEY');
-      expect(core.setSecret).toHaveBeenCalledWith('masked-env-value');
-      delete process.env.TEST_MASK_KEY;
-    });
-
-    it('should not mask empty env var values', () => {
-      const result = SecretSourceService.fetchFromEnv('NONEXISTENT_KEY_99999');
-      expect(result).toBe('');
-      expect(core.setSecret).not.toHaveBeenCalled();
-    });
-  });
-
-  describe('fetchAll', () => {
-    it('should fetch all keys from env source', async () => {
-      process.env.KEY_A = 'val-a';
-      process.env.KEY_B = 'val-b';
-
-      const results = await SecretSourceService.fetchAll('env', ['KEY_A', 'KEY_B']);
-
-      expect(results.KEY_A).toBe('val-a');
-      expect(results.KEY_B).toBe('val-b');
-
-      delete process.env.KEY_A;
-      delete process.env.KEY_B;
-    });
-
-    it('should fetch all keys from premade source', async () => {
-      const { OrchestratorSystem } = require('../core/orchestrator-system');
-      OrchestratorSystem.Run.mockResolvedValueOnce('secret-1').mockResolvedValueOnce('secret-2');
-
-      const results = await SecretSourceService.fetchAll('aws-parameter-store', ['param1', 'param2']);
-
-      expect(results.param1).toBe('secret-1');
-      expect(results.param2).toBe('secret-2');
-      expect(OrchestratorSystem.Run).toHaveBeenCalledTimes(2);
-    });
-
-    it('should return empty results for unknown source', async () => {
-      const results = await SecretSourceService.fetchAll('unknown', ['key1']);
-      expect(results).toEqual({});
-    });
-  });
-
-  describe('loadFromYaml', () => {
-    it('should return empty array when file does not exist', () => {
-      (mockFs.existsSync as jest.Mock).mockReturnValue(false);
-      const result = SecretSourceService.loadFromYaml('/nonexistent.yml');
-      expect(result).toEqual([]);
-    });
-
-    it('should parse valid YAML source definitions', () => {
-      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
-      (mockFs.readFileSync as jest.Mock).mockReturnValue(`
-sources:
-  - name: my-vault
-    command: 'vault kv get -field=value secret/{0}'
-  - name: my-api
-    command: 'curl -s https://api.example.com/{0}'
-    parseOutput: json-field
-    jsonField: secret_value
-`);
-
-      const result = SecretSourceService.loadFromYaml('/sources.yml');
-
-      expect(result).toHaveLength(2);
-      expect(result[0].name).toBe('my-vault');
-      expect(result[0].command).toBe('vault kv get -field=value secret/{0}');
-      expect(result[1].name).toBe('my-api');
-      expect(result[1].parseOutput).toBe('json-field');
-      expect(result[1].jsonField).toBe('secret_value');
-    });
-
-    it('should handle YAML with single source', () => {
-      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
-      (mockFs.readFileSync as jest.Mock).mockReturnValue(`
-sources:
-  - name: simple
-    command: echo {0}
-`);
-
-      const result = SecretSourceService.loadFromYaml('/simple.yml');
-      expect(result).toHaveLength(1);
-      expect(result[0].name).toBe('simple');
-    });
-
-    it('should return empty array on parse error', () => {
-      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
-      (mockFs.readFileSync as jest.Mock).mockImplementation(() => {
-        throw new Error('Permission denied');
-      });
-
-      const result = SecretSourceService.loadFromYaml('/error.yml');
-      expect(result).toEqual([]);
-    });
-  });
-
-  describe('premade source commands', () => {
-    it('aws-secrets-manager uses --query SecretString', () => {
-      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
-      expect(source.command).toContain('--query SecretString');
-      expect(source.command).toContain('--output text');
-    });
-
-    it('aws-parameter-store uses --with-decryption', () => {
-      const source = SecretSourceService.resolveSource('aws-parameter-store')!;
-      expect(source.command).toContain('--with-decryption');
-      expect(source.command).toContain('--query Parameter.Value');
-    });
-
-    it('gcp-secret-manager uses latest version', () => {
-      const source = SecretSourceService.resolveSource('gcp-secret-manager')!;
-      expect(source.command).toContain('latest');
-    });
-
-    it('azure-key-vault uses AZURE_VAULT_NAME env var', () => {
-      const source = SecretSourceService.resolveSource('azure-key-vault')!;
-      expect(source.command).toContain('$AZURE_VAULT_NAME');
-    });
-
-    it('hashicorp-vault uses vault kv get with VAULT_MOUNT', () => {
-      const source = SecretSourceService.resolveSource('hashicorp-vault')!;
-      expect(source.command).toContain('vault kv get');
-      expect(source.command).toContain('VAULT_MOUNT');
-      expect(source.command).toContain('-field=value');
-    });
-
-    it('hashicorp-vault-kv1 uses vault read for KV v1', () => {
-      const source = SecretSourceService.resolveSource('hashicorp-vault-kv1')!;
-      expect(source.command).toContain('vault read');
-      expect(source.command).toContain('-field=value');
-    });
-
-    it('vault alias resolves to same command as hashicorp-vault', () => {
-      const vault = SecretSourceService.resolveSource('vault')!;
-      const hashicorpVault = SecretSourceService.resolveSource('hashicorp-vault')!;
-      expect(vault.command).toBe(hashicorpVault.command);
-    });
-  });
-});

src/model/orchestrator/services/secrets/secret-source-service.ts

@@ -1,337 +0,0 @@
-import fs from 'node:fs';
-import * as core from '@actions/core';
-import OrchestratorLogger from '../core/orchestrator-logger';
-import { OrchestratorSystem } from '../core/orchestrator-system';
-
-/**
- * A secret source definition: how to fetch a secret value by key.
- */
-export interface SecretSourceDefinition {
-  name: string;
-  command: string;
-  parseOutput?: 'raw' | 'json-field';
-  jsonField?: string;
-}
-
-/**
- * Validate that a secret key name contains only safe characters.
- * Prevents shell injection when keys are interpolated into commands.
- *
- * Allowed characters: alphanumeric, hyphens, underscores, dots, forward slashes.
- *
- * @param key - The secret key name to validate
- * @returns The validated key (unchanged)
- * @throws Error if the key contains disallowed characters
- */
-export function validateSecretKey(key: string): string {
-  if (!/^[a-zA-Z0-9\-_./]+$/.test(key)) {
-    throw new Error(
-      `Invalid secret key name: "${key}". Keys may only contain alphanumeric characters, hyphens, underscores, dots, and forward slashes.`,
-    );
-  }
-
-  return key;
-}
-
-/**
- * Mask a secret value so it does not appear in GitHub Actions logs.
- * Empty or whitespace-only values are skipped (core.setSecret would be a no-op).
- */
-function maskSecretValue(value: string): void {
-  if (value.trim().length > 0) {
-    core.setSecret(value);
-  }
-}
-
-/**
- * Premade secret sources and custom YAML-based secret source definitions.
- *
- * Premade sources are string shortcuts that expand to shell commands:
- *   - `aws-secrets-manager` -- AWS Secrets Manager
- *   - `aws-parameter-store` -- AWS Systems Manager Parameter Store
- *   - `gcp-secret-manager` -- Google Cloud Secret Manager
- *   - `azure-key-vault` -- Azure Key Vault (requires AZURE_VAULT_NAME env var)
- *   - `hashicorp-vault` -- HashiCorp Vault KV v2 (requires VAULT_ADDR, optionally VAULT_MOUNT)
- *   - `hashicorp-vault-kv1` -- HashiCorp Vault KV v1 (requires VAULT_ADDR, optionally VAULT_MOUNT)
- *   - `env` -- Read from environment variables (no shell command needed)
- *
- * Custom YAML format:
- *   sources:
- *     - name: my-vault
- *       command: 'vault kv get -field=value secret/{0}'
- *     - name: my-api
- *       command: 'curl -s https://secrets.example.com/api/{0}'
- *       parseOutput: json-field
- *       jsonField: value
- */
-export class SecretSourceService {
-  private static readonly premadeSources: Record<string, SecretSourceDefinition> = {
-    'aws-secrets-manager': {
-      name: 'aws-secrets-manager',
-      command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
-      parseOutput: 'raw',
-    },
-    'aws-secret-manager': {
-      // Alias for backward compatibility (original name in inputPullCommand)
-      name: 'aws-secret-manager',
-      command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
-      parseOutput: 'raw',
-    },
-    'aws-parameter-store': {
-      name: 'aws-parameter-store',
-      command: 'aws ssm get-parameter --name {0} --with-decryption --query Parameter.Value --output text',
-      parseOutput: 'raw',
-    },
-    'gcp-secret-manager': {
-      name: 'gcp-secret-manager',
-      command: 'gcloud secrets versions access latest --secret="{0}"',
-      parseOutput: 'raw',
-    },
-    'azure-key-vault': {
-      name: 'azure-key-vault',
-      command: 'az keyvault secret show --vault-name "$AZURE_VAULT_NAME" --name {0} --query value --output tsv',
-      parseOutput: 'raw',
-    },
-    'hashicorp-vault': {
-      // HashiCorp Vault KV v2 (default). Requires VAULT_ADDR env var.
-      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
-      // Authentication is handled by VAULT_TOKEN or other Vault auth env vars.
-      name: 'hashicorp-vault',
-      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
-      parseOutput: 'raw',
-    },
-    'hashicorp-vault-kv1': {
-      // HashiCorp Vault KV v1. Requires VAULT_ADDR env var.
-      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
-      name: 'hashicorp-vault-kv1',
-      command: 'vault read -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
-      parseOutput: 'raw',
-    },
-    vault: {
-      // Short alias for hashicorp-vault (KV v2)
-      name: 'vault',
-      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
-      parseOutput: 'raw',
-    },
-  };
-
-  /**
-   * Check if a source name is a known premade source.
-   */
-  static isPremadeSource(sourceName: string): boolean {
-    return sourceName in SecretSourceService.premadeSources;
-  }
-
-  /**
-   * Get the list of available premade source names.
-   */
-  static getAvailableSources(): string[] {
-    return Object.keys(SecretSourceService.premadeSources);
-  }
-
-  /**
-   * Resolve a source name to a SecretSourceDefinition.
-   *
-   * - If the name matches a premade source, returns that definition.
-   * - If it looks like a shell command (contains spaces or {0}), wraps it as a custom command.
-   * - Otherwise, returns undefined.
-   */
-  static resolveSource(sourceName: string): SecretSourceDefinition | undefined {
-    // Check premade sources
-    if (SecretSourceService.isPremadeSource(sourceName)) {
-      return SecretSourceService.premadeSources[sourceName];
-    }
-
-    // If it contains a placeholder or spaces, treat it as a raw command
-    if (sourceName.includes('{0}') || sourceName.includes(' ')) {
-      return {
-        name: 'custom-command',
-        command: sourceName,
-        parseOutput: 'raw',
-      };
-    }
-
-    return undefined;
-  }
-
-  /**
-   * Load custom secret source definitions from a YAML file.
-   *
-   * Expected format:
-   *   sources:
-   *     - name: my-source
-   *       command: 'my-tool get-secret {0}'
-   *     - name: my-api
-   *       command: 'curl -s https://api.example.com/secrets/{0}'
-   *       parseOutput: json-field
-   *       jsonField: value
-   */
-  static loadFromYaml(filePath: string): SecretSourceDefinition[] {
-    if (!fs.existsSync(filePath)) {
-      OrchestratorLogger.logWarning(`Secret source YAML not found: ${filePath}`);
-
-      return [];
-    }
-
-    try {
-      const content = fs.readFileSync(filePath, 'utf8');
-      const parsed = SecretSourceService.parseSimpleYaml(content);
-
-      return parsed;
-    } catch (error: any) {
-      OrchestratorLogger.logWarning(`Failed to parse secret source YAML: ${error.message}`);
-
-      return [];
-    }
-  }
-
-  /**
-   * Fetch a secret value using the given source definition.
-   *
-   * Validates the key against an allowlist pattern before interpolating it
-   * into the command string to prevent shell injection. The fetched secret
-   * value is masked via core.setSecret() so it does not leak in logs.
-   *
-   * @param source - The secret source definition to use
-   * @param key - The secret key to fetch
-   * @returns The secret value, or empty string on failure
-   */
-  static async fetchSecret(source: SecretSourceDefinition, key: string): Promise<string> {
-    // Validate the key to prevent shell injection
-    validateSecretKey(key);
-
-    const command = source.command.replace(/\{0\}/g, key);
-
-    try {
-      const output = await OrchestratorSystem.Run(command, false, true);
-
-      let value: string;
-
-      if (source.parseOutput === 'json-field' && source.jsonField) {
-        try {
-          const parsed = JSON.parse(output);
-          value = parsed[source.jsonField] || '';
-        } catch {
-          OrchestratorLogger.logWarning(`Failed to parse JSON output from ${source.name} for key ${key}`);
-          value = output.trim();
-        }
-      } else {
-        value = output.trim();
-      }
-
-      // Mask the secret value so it does not appear in GitHub Actions logs
-      maskSecretValue(value);
-
-      return value;
-    } catch (error: any) {
-      OrchestratorLogger.logWarning(`Failed to fetch secret '${key}' from ${source.name}: ${error.message}`);
-
-      return '';
-    }
-  }
-
-  /**
-   * Fetch a secret from an environment variable. No shell command needed.
-   * The value is masked via core.setSecret() so it does not leak in logs.
-   */
-  static fetchFromEnv(key: string): string {
-    const value = process.env[key] || '';
-    maskSecretValue(value);
-
-    return value;
-  }
-
-  /**
-   * Resolve a source name and fetch all secrets from it.
-   *
-   * @param sourceName - Premade source name, shell command, or 'env'
-   * @param keys - List of secret keys to fetch
-   * @returns Map of key -> value
-   */
-  static async fetchAll(sourceName: string, keys: string[]): Promise<Record<string, string>> {
-    const results: Record<string, string> = {};
-
-    if (sourceName === 'env') {
-      for (const key of keys) {
-        results[key] = SecretSourceService.fetchFromEnv(key);
-      }
-
-      return results;
-    }
-
-    const source = SecretSourceService.resolveSource(sourceName);
-    if (!source) {
-      OrchestratorLogger.logWarning(
-        `Unknown secret source '${sourceName}'. Available sources: ${SecretSourceService.getAvailableSources().join(
-          ', ',
-        )}`,
-      );
-
-      return results;
-    }
-
-    OrchestratorLogger.log(`Fetching ${keys.length} secret(s) from ${source.name}`);
-
-    for (const key of keys) {
-      results[key] = await SecretSourceService.fetchSecret(source, key);
-    }
-
-    return results;
-  }
-
-  /**
-   * Simple YAML parser for secret source definitions.
-   * Handles the specific structure we expect without requiring a YAML library.
-   */
-  private static parseSimpleYaml(content: string): SecretSourceDefinition[] {
-    const definitions: SecretSourceDefinition[] = [];
-    const lines = content.split('\n');
-    let current: Partial<SecretSourceDefinition> | null = null;
-
-    for (const rawLine of lines) {
-      const line = rawLine.replace(/\r$/, '');
-      const trimmed = line.trim();
-
-      if (trimmed === '' || trimmed.startsWith('#')) continue;
-
-      if (trimmed === '- name:' || trimmed.startsWith('- name:')) {
-        if (current?.name && current?.command) {
-          definitions.push(current as SecretSourceDefinition);
-        }
-
-        current = {
-          name: trimmed
-            .replace('- name:', '')
-            .trim()
-            .replace(/^['"]|['"]$/g, ''),
-          parseOutput: 'raw',
-        };
-        continue;
-      }
-
-      if (current && trimmed.startsWith('command:')) {
-        current.command = trimmed
-          .replace('command:', '')
-          .trim()
-          .replace(/^['"]|['"]$/g, '');
-      } else if (current && trimmed.startsWith('parseOutput:')) {
-        const value = trimmed
-          .replace('parseOutput:', '')
-          .trim()
-          .replace(/^['"]|['"]$/g, '');
-        current.parseOutput = value as 'raw' | 'json-field';
-      } else if (current && trimmed.startsWith('jsonField:')) {
-        current.jsonField = trimmed
-          .replace('jsonField:', '')
-          .trim()
-          .replace(/^['"]|['"]$/g, '');
-      }
-    }
-
-    if (current?.name && current?.command) {
-      definitions.push(current as SecretSourceDefinition);
-    }
-
-    return definitions;
-  }
-}