Support obtaining OIDC ID token from Git server

[folliehiyuki]

What would you like to be added:

I'm not knowledgeable enough about how OIDC authentication workflow in CI/CD works. Here is a few documentation links that explain things better than I can ever do:

• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
• https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html

Basically, GitHub and GitLab runners can receive ID token from GitHub/GitLab respectively and use it to authenticate with an OIDC endpoint (usually a cloud provider). It would be nice if I can use this kind of ID token workflow inside Agola's Step.

Why is this needed:

Using OIDC authentication in CI/CD is much safer than having a static, unexpired credential stored. The token presented in CI/CD session expires when the job ends.

Additional context:

I prefer the way GitLab does it than GitHub (just exposing the JWT token as a variable inside the job environment). On the GitHub side you usually need a dedicated Action doing complex things to retrieve the token (an example is aws-actions/configure-aws-credentials)

Gitea currently doesn't support this workflow, but there are works underway (see go-gitea/gitea#26383).

Related topic on Woodpecker side: woodpecker-ci/woodpecker#2285