feat(source-google-calendar): add OAuth flow with credentials wrapper, config migration, and Service Account auth

[Serhii Lazebnyi (lazebnyi)]

What

Add oauth_connector_input_specification with granular scopes to support the Granular OAuth Scopes project, and restructure the connector's spec so that OAuth fields (client_id, client_secret, client_refresh_token_2) are properly hidden behind the platform's "Authenticate" button instead of being rendered as bare input fields. Also adds Service Account Key authentication as a second auth type.

Also replaces the placeholder connector icon with a Google Calendar icon.

References https://github.com/airbytehq/airbyte-internal-issues/issues/16023

How

1. Spec restructuring: Wrapped client_id, client_secret, and client_refresh_token_2 inside a credentials object with a oneOf auth type selector containing two options: OAuth and Service Account Key (matching the pattern used by source-google-sheets and other Google connectors).
2. SelectiveAuthenticator: Replaced the inline OAuthAuthenticator on base_requester with a SelectiveAuthenticator that dispatches on credentials.auth_type:
   • Client → oauth_authenticator (OAuth refresh-token flow)
   • Service → jwt_profile_assertion_oauth_authenticator (JWT profile assertion via service account key)
3. advanced_auth: Added predicate_key: [credentials, auth_type] and predicate_value: Client so the platform UI renders the OAuth button correctly. Added oauth_connector_input_specification with the calendar.readonly scope.
4. path_in_connector_config: Updated all OAuth output paths to point to credentials.client_id, credentials.client_secret, and credentials.client_refresh_token_2.
5. Config migration: Added config_normalization_rules with a ConfigMigration that transparently moves top-level OAuth fields into the nested credentials object for existing connections (so this is non-breaking for current users).
6. Icon: Replaced generic placeholder SVG with a Google Calendar icon.

Review guide

1. airbyte-integrations/connectors/source-google-calendar/manifest.yaml — all functional changes (authenticators, spec, config migration, advanced_auth)
2. airbyte-integrations/connectors/source-google-calendar/metadata.yaml — version bump to 0.0.39
3. docs/integrations/sources/google-calendar.md — updated config table and changelog
4. airbyte-integrations/connectors/source-google-calendar/icon.svg — new icon

⚠️ Items worth verifying

• Service Account + Calendar API: The JWT authenticator is modeled after source-google-sheets. Google Calendar service accounts may require domain-wide delegation with a subject (the user email to impersonate) for accessing user-specific calendars. The current implementation does not include a subject field — verify whether this works or if a subject property needs to be added to the Service Account oneOf option.
• OAuth field hiding: The primary reason for adding the second oneOf option (Service Account) is that the platform UI does not hide complete_oauth_server_output_specification fields when there is only a single oneOf option. Confirm via prerelease that client_id and client_secret are now hidden behind the "Authenticate" button.
• Config migration ordering: The migration first runs ConfigAddFields (condition: old top-level fields exist and credentials is absent), then ConfigRemoveFields (condition: credentials is present). Confirm the CDK applies these transformations sequentially on the mutated config within a single ConfigMigration.

User Impact

• New connections: OAuth fields are now hidden behind the "Authenticate via Google" button, consistent with other Google connectors. Service Account Key authentication is also available.
• Existing connections: The config migration transparently restructures the config on sync; no manual reconfiguration needed.

Can this PR be safely reverted and rolled back?

• YES 💚

Link to Devin session: https://app.devin.ai/sessions/7bbf775a6ee347c9a4ee771219c3e133
Requested by: Serhii Lazebnyi (@lazebnyi)

[octavia-bot]

Note

📝 PR Converted to Draft

More info...

Thank you for creating this PR. As a policy to protect our engineers' time, Airbyte requires all PRs to be created first in draft status. Your PR has been automatically converted to draft status in respect for this policy.

As soon as your PR is ready for formal review, you can proceed to convert the PR to "ready for review" status by clicking the "Ready for review" button at the bottom of the PR page.

To skip draft status in future PRs, please include [ready] in your PR title or add the skip-draft-status label when creating your PR.

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• 🛠️ Quick Fixes
  • /format-fix - Fixes most formatting issues.
  • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
    • Bump types: patch (default), minor, major, major_rc, rc, promote.
    • The rc type is a smart default: applies minor_rc if stable, or bumps the RC number if already RC.
    • The promote type strips the RC suffix to finalize a release.
    • Example: /bump-version type=rc or /bump-version type=minor
  • /bump-progressive-rollout-version - Alias for /bump-version type=rc. Bumps with an RC suffix and enables progressive rollout.
• ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
  • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
  • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
  • /ai-review - AI-powered PR review for connector safety and quality gates.
• 🚀 Connector Releases:
  • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
• ☕️ JVM connectors:
  • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
    Example: /update-connector-cdk-version connector=destination-bigquery
• 🐍 Python connectors:
  • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
  • /poe source example lock - Alias for /poe connector source-example lock.
  • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
  • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
• ⚙️ Admin commands:
  • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
    Example: /force-merge reason="CI is flaky, tests pass locally"

📚 Show Repo Guidance

Helpful Resources

• Breaking Changes Guide - Breaking changes, migration guides, and upgrade deadlines
• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

📝 Edit this welcome message.

[github-actions]

source-google-calendar Connector Test Results

3 tests   1 ✅  3s ⏱️
1 suites  2 💤
1 files    0 ❌

Results for commit e81ea6b.

♻️ This comment has been updated with latest results.

[github-actions]

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-kngn2lu76-airbyte-growth.vercel.app

Built with commit e81ea6b.
This pull request is being automatically deployed with vercel-action

[Serhii Lazebnyi (lazebnyi)]

/publish-connectors-prerelease

Pre-release Connector Publish Started

Publishing pre-release build for connector source-google-calendar.
PR: #76066

Pre-release versions will be tagged as {version}-preview.4939986
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-google-calendar:0.0.38-preview.4939986

Docker Hub: https://hub.docker.com/layers/airbyte/source-google-calendar/0.0.38-preview.4939986

Registry JSON:

• OSS Registry
• Cloud Registry

[Serhii Lazebnyi (lazebnyi)]

/publish-connectors-prerelease

Pre-release Connector Publish Started

Publishing pre-release build for connector source-google-calendar.
PR: #76066

Pre-release versions will be tagged as {version}-preview.89fc6ac
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-google-calendar:0.0.39-preview.89fc6ac

Docker Hub: https://hub.docker.com/layers/airbyte/source-google-calendar/0.0.39-preview.89fc6ac

Registry JSON:

• OSS Registry
• Cloud Registry

[Serhii Lazebnyi (lazebnyi)]

/publish-connectors-prerelease

Pre-release Connector Publish Started

Publishing pre-release build for connector source-google-calendar.
PR: #76066

Pre-release versions will be tagged as {version}-preview.e81ea6b
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-google-calendar:0.0.39-preview.e81ea6b

Docker Hub: https://hub.docker.com/layers/airbyte/source-google-calendar/0.0.39-preview.e81ea6b

Registry JSON:

• OSS Registry
• Cloud Registry

[github-actions]

[markdownlint-fix] _{reported by reviewdog 🐶}

Suggested change

	| Stream Name | Primary Key | Pagination | Supports Full Sync | Supports Incremental |
	| Stream Name | Primary Key | Pagination | Supports Full Sync | Supports Incremental |