Document ADC credential lifetime behavior for importer

Add detailed doc comment to TryGCloudApplicationDefaultCredentialsFile
explaining that authorized_user refresh tokens have different lifetimes
depending on account type (personal vs managed org), helping users
understand when service account keys are the better choice.

Author: mlsimon734

plugins/gcloud/service_account_key.go

@@ -91,6 +91,20 @@ func (e *jsonError) Error() string {
 
 // TryGCloudApplicationDefaultCredentialsFile imports credentials from the
 // gcloud application default credentials file at ~/.config/gcloud/application_default_credentials.json.
+//
+// This file may contain either a service_account key (long-lived, never expires
+// unless explicitly deleted) or an authorized_user credential generated by
+// "gcloud auth application-default login". Authorized user credentials contain
+// a refresh token whose lifetime depends on the Google account type:
+//
+//   - Personal Gmail accounts: refresh tokens are long-lived and only expire
+//     if revoked, unused for 6 months, or the password is changed.
+//   - Google Workspace / Cloud Identity accounts: refresh tokens are subject
+//     to session length policies configured by the org admin (typically 1–24
+//     hours), after which reauthentication is required.
+//
+// Both types are imported. Users with managed org accounts should prefer
+// service account keys for a more durable credential.
 func TryGCloudApplicationDefaultCredentialsFile() sdk.Importer {
 	return importer.TryFile("~/.config/gcloud/application_default_credentials.json", func(ctx context.Context, contents importer.FileContents, in sdk.ImportInput, out *sdk.ImportAttempt) {
 		var cred gcpCredentialFile