feat(go/adbc/driver/bigquery): add external-account (WIF) auth

[ragesh-g]

Summary

This adds Workload Identity Federation (WIF) as an authentication option for the BigQuery driver. With WIF, a workload authenticates through an external identity provider (Microsoft Entra, in the dbt setup) and Google grants BigQuery access based on that.

How it works

When a profile uses this method, the driver:

1. asks the identity provider (e.g. Entra) for a token, by sending the sign-in request the user put in their profile;
2. trades that token with Google for a short-lived Google access token;
3. optionally "borrows" a service account's identity (impersonation), if the profile points at one;

then uses the resulting token to run BigQuery jobs.

It reads four new settings from the profile: the workload pool/provider path, the provider's token URL, the request body to send it, and an optional service-account impersonation URL.

Testing

• Go unit tests.

• Manual dbt run against BigQuery via Entra WIF, driven through dbt-labs/fs#10486.

Dependency

Paired with dbt-labs/fs#10486 (the dbt side that sets these options).

[VersusFacit]

I generally agree the network call should be at this layer. I think we should do exponential backoff with jitter here. Make constants at top of the file. start at 500ms, tiny bit of jitter to prevent collisions. This keeps it at 15ish seconds worst case for a total failure, which is well within the 30s timeout already on the HTTP client. Don't expose the retries upstream

[VersusFacit]

anyway we can map the error to something more human readable? Ask claude, I -think- there are some cases we'd like to be more sophisticated in catching the errors since this might show up in fs as something like "cannot unmarshal into json" and users would have no idea what's going on

[VersusFacit]

Request for retry logic, but this is pretty much good to go