Live interop test points for OIDC + GitHub Actions OIDC identity adapters

[mzargham]

Follows the Flexo live-test reconciliation. Today the identity
adapters validate signature shape + claims projection against
pre-generated tokens but never hit a real IdP.

The GitHub adapter (oracle/identity/adapters/github.py) can be
covered today against https://api.github.com/users/{login} and an
optional GH_TOKEN — no decision needed there. The other two need
a sanctioned test point.

Generic OIDC adapter (oracle/identity/adapters/oidc.py)

Live test would prove:

• The discovery doc fetch (/.well-known/openid-configuration) parses
  correctly
• JWKS rotation works (cache invalidation on kid mismatch)
• aud / iss claim policy matches what a real provider emits

Candidate IdPs:

1. Google — discovery doc public; token issuance needs a user
   flow / device-code flow. Heavyweight for CI.
2. Auth0 — free tier; programmatic client-credentials flow easy.
3. Project-owned Keycloak — capex; full control.
4. Sigstore Fulcio (https://oauth2.sigstore.dev/) — already
   public; pairs naturally with Cosign live test in companion issue.

GitHub Actions OIDC adapter (oracle/identity/adapters/gha_oidc.py)

Only meaningful from inside a real GHA workflow with
id-token: write. The live test must run in CI:

• Add live-identity-gha-oidc job to .github/workflows/ci.yml with
  id-token: write
• Request a token, hand to the adapter, assert claim projection
  matches the workflow's identity
• Keep permissions: minimal so the test doesn't expand CI blast
  radius

Decision needed:

• Which OIDC IdP (Sigstore Fulcio? Auth0? something else?) is the
  v0.1 live target?
• OK to add an id-token: write job to CI for the GHA adapter?

[mzargham]

Impl-side ticket blocked on this decision: flexo-rtm#6.