Add support for GitHub Actions OIDC new claims

[wata727]

Description

See also https://github.blog/changelog/2023-01-10-github-actions-openid-connect-token-now-supports-more-claims-for-configuring-granular-cloud-access/

Recently, GitHub announced that OpenID Connect token supports more claims.

• actor_id
• repository_id
• repository_owner_id
• workflow_ref
• workflow_sha
• job_workflow_sha

https://token.actions.githubusercontent.com/.well-known/openid-configuration

It may be useful to support these claims like --certificate-github-workflow-repository which is already supported. Especially, the repository_id is more secure as it is not affected by Repojacking, unlike the repository.

What do you think about this? If this makes sense I can work on this. Maybe depending on https://github.com/sigstore/cosign/issues/2691 this may not be necessary.

[haydentherapper]

This work is dependent on fulcio including these claims from the OIDC token in the certificate, which is ongoing in https://github.com/sigstore/fulcio/pull/945. We can then add flags for the new claims, though we should be able to drop GitHub from the flag name since they’ll be standardized for all CI platforms.

[haydentherapper]

This is unblocked now.