ambient tokens support

[jku]

First, the project looks great!

I saw that the ambient token support is not very extensive (also I believe the included gitlab code won't work -- it's using env vars that should not be there anymore and the token in question won't have the audience field Sigstore needs).

I wrote https://github.com/jku/ci-id (basically detect_credentials() as a library) as Rust warmup a while ago. It's not used anywhere yet but a Sigstore client is exactly what I was thinking of: it's basically a re-implementation of the library sigstore-python uses... I'd be happy to make a PR to move some code from there to this repo (or I can add a dependency to ci-id if you'd prefer that). This would add support for gitlab, circleci and buildkite right away (and I can look at google cloud later) and there would be a bunch of tests.

Let me know if any of that sounds good.

[woodruffw]

I came here to open this exact issue 😅

I also reimplemented id for Rust a while back, since uv needs ambient OIDC detection for its built-in Trusted Publishing support (and eventually for PEP 740 support too, which we'd ideally do via these crates!)

The crate that uv is using is here: https://github.com/astral-sh/ambient-id