Workload identities for pipelines

[jenrik]

Clear and concise description of the problem

I'm wishing for an way to grant individual pipeline executions access to external resources based on their identity (repo name, branch, git-commit, pipeline name, trigger by, ...). External resources includes things such as container registries.
Signing and generating attestations for artifacts with Sigstore's cosign, which is growing need due to EU legislation such as NIS2, requires a away to identity the build pipeline to issues signing certificates.

Suggested solution

The core idea is to take inspiration from Github Actions where tokens are issues to pipelines on-demand, and implement an OAuth2 provider into Woodpecker that issues token to pipelines with specialized fields and claims identifying the specific pipeline execution.

Alternative

Adding secrets to pipelines via the existing secrets mechanism can give us some of the functionality, but lacks the fine-grained access that can be given by issuing tokens with exact information about a specific pipeline execution. It is also vulnerable to secret leakage since the secret have a life-time far greater that an single execution.

Additional context

A lot of legislation is arriving that demands greater and greater cyber security and supply-chain security. Figuring out how we can best support cosign with Woodpecker can become important for future use of Woodpecker in commercial settings. And personally I'm very interested in being able to produce SLSA level 3 compliant software artifacts.

Validations

• Checked that the feature isn't part of the next version already [https://woodpecker-ci.org/versions]
• Read the docs.
• Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

[jenrik]

I willing to put in the work to implement this feature, but I would prefer to have the projects support before committing the time