remove oidc config from gradle plugin

- non-ambient credentials should be configured by signing-config
- ambient credentially are now unmodifiable defaults (behavior
  that is consistent with other clieints)

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

sandbox/gradle-precompiled-plugin/src/main/kotlin/sigstore-conventions.gradle.kts

@@ -3,7 +3,4 @@ plugins {
 }
 
 sigstoreSign {
-    oidcClient {
-        gitHub()
-    }
 }

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/GitHubActionsOidc.kt

@@ -47,10 +47,6 @@ abstract class SigstoreSignExtension(private val project: Project) {
 
     init {
         sigstoreJavaVersion.convention("2.0.0-rc2")
-        (this as ExtensionAware).extensions.create<OidcClientExtension>(
-            "oidcClient",
-            project.objects,
-        )
     }
 
     fun sign(publications: DomainObjectCollection<Publication>) {
@@ -70,13 +66,6 @@ abstract class SigstoreSignExtension(private val project: Project) {
         }
     }
 
-    val oidcClient: OidcClientExtension
-        get() = (this as ExtensionAware).the()
-
-    fun oidcClient(configure: Action<OidcClientExtension>) {
-        configure.execute((this as ExtensionAware).the())
-    }
-
     private fun <T : PublicationArtifact> sign(publication: PublicationInternal<T>) {
         val taskName = publication.signingTaskName
         val signatureDirectory = project.layout.buildDirectory.dir("sigstore/$taskName")

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/OidcClientConfiguration.kt

@@ -16,7 +16,6 @@
  */
 package dev.sigstore.sign.tasks
 
-import dev.sigstore.sign.OidcClientConfiguration
 import dev.sigstore.sign.SigstoreSignExtension
 import dev.sigstore.sign.SigstoreSignature
 import dev.sigstore.sign.services.SigstoreSigningService
@@ -86,9 +85,6 @@ abstract class SigstoreSignFilesTask : DefaultTask() {
     @get:Internal
     abstract val signatureDirectory: DirectoryProperty
 
-    @get:Internal
-    abstract val oidcClient: Property<OidcClientConfiguration>
-
     @get:Nested
     @get:Optional
     abstract val launcher: Property<JavaLauncher>
@@ -114,9 +110,6 @@ abstract class SigstoreSignFilesTask : DefaultTask() {
             false
         }
         sigstoreClientClasspath.from(project.configurations["sigstoreClientClasspath"])
-        oidcClient.convention(
-            project.the<SigstoreSignExtension>().oidcClient.client
-        )
         signatureDirectory.convention(
             layout.buildDirectory.dir("sigstore/$name")
         )
@@ -201,7 +194,6 @@ abstract class SigstoreSignFilesTask : DefaultTask() {
                     submit(SignWorkAction::class.java) {
                         inputFile.set(file)
                         outputSignature.set(signature.outputSignature)
-                        oidcClient.set(this@SigstoreSignFilesTask.oidcClient)
                     }
                     // Wait after submitting each action, so the worker become active, and we can reuse it.
                     // It enables reusing Fulcio certificates

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/OidcClientExtension.kt

@@ -17,31 +17,22 @@
 package dev.sigstore.sign.work
 
 import dev.sigstore.KeylessSigner
-import dev.sigstore.oidc.client.OidcClient
-import dev.sigstore.oidc.client.OidcClients
-import dev.sigstore.sign.OidcClientConfiguration
 import org.gradle.api.file.RegularFileProperty
-import org.gradle.api.provider.Property
-import org.gradle.internal.impldep.org.hamcrest.core.AnyOf
 import org.gradle.workers.WorkAction
 import org.gradle.workers.WorkParameters
 import org.slf4j.LoggerFactory
-import java.util.concurrent.ConcurrentHashMap
 
 abstract class SignWorkParameters : WorkParameters {
     abstract val inputFile: RegularFileProperty
     abstract val outputSignature: RegularFileProperty
-    abstract val oidcClient: Property<OidcClientConfiguration>
 }
 
 abstract class SignWorkAction : WorkAction<SignWorkParameters> {
     companion object {
         private val logger = LoggerFactory.getLogger(SignWorkAction::class.java)
-
-        private val clients = ConcurrentHashMap<Any, KeylessSigner>()
-
-        // the default key that delegates to KeylessSigners set of default OIDC providers
-        const val DEFAULT_KEY = "_default"
+        private val signer: KeylessSigner by lazy {
+            KeylessSigner.builder().sigstorePublicDefaults().build()
+        }
     }
 
     abstract val parameters: SignWorkParameters
@@ -50,16 +41,6 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
         val inputFile = parameters.inputFile.get().asFile
         logger.info("Signing in Sigstore: {}", inputFile)
 
-        val signerKey = if (parameters.oidcClient.isPresent) parameters.oidcClient.get().key() else DEFAULT_KEY
-        val signer = clients.computeIfAbsent(signerKey) {
-            KeylessSigner.builder().apply {
-                sigstorePublicDefaults()
-                if (signerKey != DEFAULT_KEY) {
-                    forceCredentialProviders(OidcClients.of(parameters.oidcClient.get().build() as OidcClient))
-                }
-            }.build()
-        }
-
         val result = signer.signFile(inputFile.toPath())
         val bundleJson = result.toJson()
         parameters.outputSignature.get().asFile.writeText(bundleJson)