I needed to add:

jobs:
   my_job:
   # Need to add these 3 lines to add "id-token" with the intended permissions.
   permissions:
     contents: 'read'
     id-token: 'write'

This is documented here: https://github.com/google-github-actions/auth#usage

I suspect (I've not tried it!?) you can simply repeat the google-github-actions/auth step for each unique Service Account key that you want to use.

If you need to repeat the same steps for various credentials, you can likely use GitHub matrix.

You should try this to prove it to yourself.

The documentation doesn't appear to cover this use-case but, I suspect, the step is equivalent to gcloud auth activate-service-account.

If so, then subsequent steps will leverage those credentials (presumably either through gcloud or APPLICATION_DEFAULT_CREDENTIALS) until changed by e.g gcloud auth set account ${EMAIL}

As per the error seems to be you have given invalid json file of service account which is not parsed by the Git actions workflow. As per this official github :

1. (Optional) Create a Google Cloud Service Account. If you already have a Service Account, take note of the email address and skip this step :

    # TODO: replace ${PROJECT_ID} with your value below.             
    gcloud iam service-accounts create "my-service-account" \
      --project "${PROJECT_ID}"

2. Create a Service Account Key JSON for the Service Account.

# TODO: replace ${PROJECT_ID} with your value below.
gcloud iam service-accounts keys create "key.json" \
  --iam-account "my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"

3. Upload the contents of this file as a GitHub Actions Secret. Use the name of the GitHub Actios secret as the credentials_json value in the GitHub Actions YAML:

 uses: 'google-github-actions/auth@v2'
  with:
      credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}' # Replace with the name of your GitHub Actions secret

Can you validate the above steps as per your yaml seems to be you need to give correct service account JSON file and also credentials json format need to be taken care.

---------- or else you can also achieve by using Workload Identity Federation through a Service Account by following this official github

Edit : Sinethemba Nontshintshi, achieved this by Changing the approach and used the Workload Identity Federation through a Service Account method to authenticate, by using this guide on how to set it up in GCP and in the YAML file it is passed as follows :

 - name: Authenticate Google Cloud             
   uses: google-github-actions/auth@v2             
   with: 
     service_account: 'your-service account'              
     workload_identity_provider: 'your-workload-identity-provider'

I finally find out !!! BUT I'm not sure in term of security if there is any risk or not so if anyone can advice I'll edit the answer !

What is changing but I'm not sure in term of security is here :

gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"


gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"

I think I don't really get the principalSet option and all the attribute possible so if anyone can advice also on this, I'll be grateful !

Then don't forget to bind your repo to your service account :

gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/artifactregistry.writer

And for the github workflow I remove the google-artifactregistry-auth and i use the access_token in the .npmrc file.

Here is the full workflow :

name: Publish Package
on:
  push:
    branches:
      - main

jobs:
  publish:
    timeout-minutes: 10
    runs-on: ubuntu-latest
    permissions:
      contents: "read"
      id-token: "write"
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - uses: actions/setup-node@v2
        with:
          node-version: 16

      - name: Install
        run: npm ci

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v0"
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SERVICE_ACCOUNT }}
          token_format: 'access_token'

      - name: "Set up Cloud SDK"
        uses: "google-github-actions/setup-gcloud@v0"

      - name: Create .npmrc
        run: |
          cat << EOF > .npmrc
            @example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
            //asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken="${{ steps.auth.outputs.access_token }}"
            //asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
          EOF

      - name: Artifact login
        run: |
          npm publish

For anyone trying to resolve this issue, make sure you have the IAM Service Account Credentials API API enabled, iamcredentials.googleapis.com in your GCP project first, which then enables the creation of short-lived tokens for service account impersonations.