Native OIDC Token for workload identity federation

[Ali-Gamal]

Feature Description

Hello,

I would like to request a feature enhancement that allows Gitea Actions to produce a fully compliant OIDC token (including standard claims such as iss, sub, aud) for each job.

Use Case:
We want to use Gitea's CI to securely authenticate with Google Cloud via Workload Identity Federation (WIF). Currently, the ACTIONS_RUNTIME_TOKEN is an internal token that doesn't meet Google's OIDC requirements (for example, it doesn't contain the standard iss or sub claims). Because of this, Google's Security Token Service (STS) rejects it, and we cannot perform ephemeral, keyless authentication from Gitea Actions to GCP.

Why It's Important:

• A real OIDC token from Gitea would let us avoid storing long-lived credentials or rolling our own JWT signing mechanism.
• Many users want a "GitHub Actions–like" OIDC approach, so they can seamlessly integrate Gitea with GCP (and potentially other OIDC providers) in a secure, short-lived token scenario.
• This is more secure than storing service account keys, and is increasingly becoming the standard for CI-to-cloud authentication.

Request:

• Add a configuration or built-in feature that emits a proper OIDC token for each Gitea Actions job, with standard claims (iss, sub, exp, etc.), so it can be exchanged at Google's STS endpoint.
• Possibly provide a permissions.id-token: write–style configuration (similar to GitHub's approach), letting maintainers or repository owners enable/disable issuance of an OIDC token