Better docs about ambient credential detection

[favonia]

trafficstars

Problem

The current OIDC device flow prints out a URL to complete OIDC and then waits for the OIDC token. However, this is not compatible with how GitHub Actions logging is buffered, as the printed URL may not be visible until the 300-second timeout if the Actions log is opened too early or too late.

Proposed Solution

I wonder if we can split the flow into two commands. One command would print out the URL, while the other command would wait for the token. This approach has the added benefit of easily allowing the printed URL to be redirected to other devices, via a notification service, so that the user doesn't have to actively wait for the GitHub Actions to reach the Cosign step. The method for communicating the necessary information to continue the OIDC protocol (if any) needs some thinking, but it could be an environment variable, a command-line argument, or a file, and GitHub Actions can handle any of these. I'd prefer to leave the details of how to implement this information-passing part to those who are more familiar with the OIDC protocol.