Cosign supports 'ambient credential detection' for a number of environments where OIDC identities are available by default. We should also similarly support:

• GitHub Actions (internal/oidc, test: ambient credentials, refactoring #59)
• Google Cloud: VMs, GKE clusters, Cloud Build, etc. (Google Cloud ambient credential detection #88, Support Google Cloud impersonation #91)
• GitLab (SaaS): https://docs.gitlab.com/ee/integration/openid_connect_provider.html
  • blocked on Add support for GitLab tokens fulcio#243 (Add GitLab.com OIDC to Fulcio fulcio#983)
    • blocked on https://gitlab.com/groups/gitlab-org/-/epics/7335
• CircleCI: https://circleci.com/docs/2.0/openid-connect-tokens/
  • blocked on Add support for CircleCI tokens fulcio#591
    • blocked on https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens
  • implementation: sigstore, test: add CircleCI credential detection #72
• BuildKite (oidc: Buildkite support #499)
  • Fulcio: Add Buildkite OIDC to Fulcio fulcio#890

See also https://dlorenc.medium.com/a-bit-of-ambiance-comes-to-sigstore-f80d1d6b1c30

This issue is tracking support for SaaS products and not self-hosted instances, e.g. GitLab's hosted product and not their on-premise or self-hosted services. Self-hosted services are out-of-scope, pending further discussion with Fulcio.