Add environment variable token provider.

[wlynch]

Summary

This adds a new token provider that looks for tokens located at SIGSTORE_ID_TOKEN.

This is an alternative to COSIGN_IDENTITY_TOKEN, which is implemented as a Viper binding.

ID_TOKEN was used instead of IDENTITY_TOKEN, since this seems to be consistent with other providers (e.g. ACTIONS_ID_TOKEN_REQUEST_TOKEN). If this ends up being confusing we can add support for both variants later if needed.

Fixes #2863, #2697, #1254

Release Note

• Added new token provider for looking up OIDC tokens in the SIGSTORE_ID_TOKEN environment variable.

Documentation

Should docs be added before this is actually released and available to people? 🤔
(it would be great if we could base the docs on cosign versions)

[codecov]

Codecov Report

Merging #2864 (585bc8c) into main (4e99b40) will increase coverage by 0.06%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #2864      +/-   ##
==========================================
+ Coverage   29.47%   29.54%   +0.06%     
==========================================
  Files         151      152       +1     
  Lines        9679     9681       +2     
==========================================
+ Hits         2853     2860       +7     
+ Misses       6387     6382       -5     
  Partials      439      439              

Impacted Files	Coverage Δ
pkg/cosign/env/env.go	88.88% <ø> (ø)
pkg/providers/envvar/env.go	100.00% <100.00%> (ø)

... and 2 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[haydentherapper]

Why does this solve the GitLab provider issue? Does GitLab let you control which environment variable its ID token is written to, in contrast to the other CI providers which have predefined, fixed env vars?

[wlynch]

Why does this solve the GitLab provider issue? Does GitLab let you control which environment variable its ID token is written to, in contrast to the other CI providers which have predefined, fixed env vars?

Yup! Exactly. So you should be able to do something like this:

build:
  stage: build
  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore
  script:
     - cosign sign ...

https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html

[haydentherapper]

Sweet, thanks for clarifying!

Can you also update pkg/providers/all/all.go?

[haydentherapper]

After this is in, we'll cut Cosign 2.0.1

[hectorj2f]

Yes, I'd say we need a section to describe our available environment variables.

[wlynch]

Can you also update pkg/providers/all/all.go?

Done!