feat: add apphosting secrets revokeaccess command

[7hokerz]

Description

• [Apphosting] Support revoke Secret Manager secret CLI command #10645

Adds apphosting:secrets:revokeaccess, the inverse command for apphosting:secrets:grantaccess.

The command supports revoking Secret Manager access from either:

• App Hosting backend service accounts via --backend
• User or group emails via --emails

For backend revocation, this removes the selected backend service accounts from:

• roles/secretmanager.secretAccessor
• roles/secretmanager.viewer

(It intentionally preserves roles/secretmanager.secretVersionManager for the App Hosting service agent because that permission is project/App Hosting service-agent scoped rather than backend-specific.)
(However, it may be inaccurate, so It would be great if a reviewer could review this.)

Scenarios Tested

• Ran npx mocha src/apphosting/secrets/index.spec.ts
• Ran npm run test:compile
• Ran npm run lint:changed-files
• Manual test with node lib/bin/firebase.js apphosting:secrets:revokeaccess ... --debug

Sample Commands

npx firebase apphosting:secrets:revokeaccess

[gemini-code-assist]

Code Review

This pull request introduces the apphosting:secrets:revokeaccess command, allowing users to revoke permissions on specified secrets for service accounts, users, or groups. It implements the underlying helper functions revokeSecretAccess and revokeEmailsSecretAccess along with their unit tests. The review feedback suggests robustly handling potential whitespace in comma-separated inputs (secret names and emails) by trimming them, and optimizing performance by parallelizing sequential asynchronous operations (such as secret existence checks and IAM binding revocations) using Promise.all.

[7hokerz]

@aalej @joehan , Could you please take a look at this when you have a moment?

[codecov-commenter]

Codecov Report

❌ Patch coverage is 90.47619% with 4 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@33ff901). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
src/apphosting/secrets/index.ts	90.24%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #10669   +/-   ##
=======================================
  Coverage        ?   57.75%           
=======================================
  Files           ?      608           
  Lines           ?    39158           
  Branches        ?     7846           
=======================================
  Hits            ?    22617           
  Misses          ?    14732           
  Partials        ?     1809           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[7hokerz]

@IzaakGough , I think the CI results are out. Please let me know if there are any further actions required from me.

[aalej]

I'm going to assign @joehan as a reviewer since he's more familiar with our internal API review process. Could you also add a changelog entry for this? Thanks again for the contribution!

[7hokerz]

@aalej , I have added the changelog entry as requested.

[joehan]

Looks good to me (with some minor suggestions). I'll kick off the internal API review for this - it may take a little while to resolve, but i'll make sure this gets merged in once it is completed.

[7hokerz]

@joehan , Thank you for the review. I have added the suggestions.