Authentication leveraging GITHUB_TOKEN #753
Description
A passive authentication mechanism would leverage the existing GITHUB_TOKEN to authenticate/authorize existing workflows against chainloop. This would mean:
- GH Token should be verified against GH well-known public key
- Token claims would contain, at least, the related GH repository reference, and the GH workflow being run. Chainloop would check it against an allowlist of valid repositories for the organization.
- The GH workflow would map directly to a Chainloop workflow and contract.
An example of CLI execution would look like:
chainloop att init --github-token $GITHUB_TOKEN
Note that this would replace entirely the need of a CHAINLOOP_API_TOKEN. But it could still leverage ephemeral robot accounts for the attestation itself (see #752)