Power by OIDC exclusively instead of using log based proof. OIDC is the Cool Thing that didn't exist when CFA was originally written, relying on it for the GHA implementation makes sense.
There are two other refactors included in this PR:
Getting a github token from the CFA app now requires a permission dict indicating permissions you want the token to have. This is done as the app now has more permissions than it needs and we don't want to give those permissions to the token we give the client
The OIDC validation logic is now extracted to a generic helper to allow us to re-use it for validating a github actions OIDC token
Power by OIDC exclusively instead of using log based proof. OIDC is the Cool Thing that didn't exist when CFA was originally written, relying on it for the GHA implementation makes sense.
There are two other refactors included in this PR:
Closes #3