Support non-regex build identity in params task

See related slack discussion:
https://redhat-internal.slack.com/archives/C0A2WFPBR29/p1771940901598689

It's not 100% clear if the plan is to use the regex, or the string
value for the certificate identity. I'm making an assumption about
the configmap key value.

(This might need tweaking in future, but I think that's okay. My
goal is to get something that might work, with good test coverage,
and then iterate as needed.)

Ref: https://issues.redhat.com/browse/EC-1695

Author: simonbaird

docs/modules/ROOT/pages/collect-keyless-signing-params.adoc

@@ -33,6 +33,8 @@ allowing the pipeline to continue without signing parameters.
 
 *tufExternalUrl*:: The external URL of the TUF repository.
 
+*buildIdentity*:: The build identity from the OIDC token claims, if applicable.
+
 *buildIdentityRegexp*:: A regular expression to extract build identity from the OIDC token claims, if applicable.
 
 *keylessSigningEnabled*:: A flag indicating whether keyless signing is enabled based on the presence of signing parameters.

features/__snapshots__/task_validate_image.snap

@@ -604,6 +604,7 @@ results.defaultOIDCIssuer: https://kubernetes.default.svc.cluster.local
 results.rekorExternalUrl: https://rekor.example.com
 results.fulcioExternalUrl: https://fulcio.example.com
 results.tufExternalUrl: https://tuf.example.com
+results.buildIdentity: https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller
 results.buildIdentityRegexp: ^https://konflux-ci.dev/.*$
 
 ---
@@ -616,6 +617,7 @@ results.defaultOIDCIssuer:
 results.rekorExternalUrl: 
 results.fulcioExternalUrl: 
 results.tufExternalUrl: 
+results.buildIdentity: 
 results.buildIdentityRegexp: 
 
 ---
@@ -629,6 +631,7 @@ results.defaultOIDCIssuer:
 results.rekorExternalUrl: 
 results.fulcioExternalUrl: 
 results.tufExternalUrl: 
+results.buildIdentity: 
 results.buildIdentityRegexp: 
 
 ---
@@ -642,6 +645,7 @@ results.defaultOIDCIssuer:
 results.rekorExternalUrl: 
 results.fulcioExternalUrl: 
 results.tufExternalUrl: 
+results.buildIdentity: 
 results.buildIdentityRegexp: 
 
 ---

features/task_validate_image.feature

@@ -468,6 +468,7 @@ Feature: Verify Enterprise Contract Tekton Tasks
         "rekorExternalUrl": "https://rekor.example.com",
         "fulcioExternalUrl": "https://fulcio.example.com",
         "tufExternalUrl": "https://tuf.example.com",
+        "buildIdentity": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller",
         "buildIdentityRegexp": "^https://konflux-ci.dev/.*$",
         "enableKeylessSigning": "true"
       }
@@ -480,6 +481,7 @@ Feature: Verify Enterprise Contract Tekton Tasks
      And the task result "rekorExternalUrl" should equal "https://rekor.example.com"
      And the task result "fulcioExternalUrl" should equal "https://fulcio.example.com"
      And the task result "tufExternalUrl" should equal "https://tuf.example.com"
+     And the task result "buildIdentity" should equal "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller"
      And the task result "buildIdentityRegexp" should equal "^https://konflux-ci.dev/.*$"
      And the task result "keylessSigningEnabled" should equal "true"
 
@@ -495,6 +497,7 @@ Feature: Verify Enterprise Contract Tekton Tasks
         "rekorExternalUrl": "https://rekor.example.com",
         "fulcioExternalUrl": "https://fulcio.example.com",
         "tufExternalUrl": "https://tuf.example.com",
+        "buildIdentity": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller",
         "buildIdentityRegexp": "^https://konflux-ci.dev/.*$",
         "enableKeylessSigning": "false"
       }

tasks/collect-keyless-signing-params/0.1/collect-keyless-signing-params.yaml

@@ -67,6 +67,11 @@ spec:
       description: |
         The external URL of the TUF repository.
 
+    - name: buildIdentity
+      type: string
+      description: |
+        The build identity from the OIDC token claims, if applicable.
+
     - name: buildIdentityRegexp
       type: string
       description: |
@@ -103,6 +108,7 @@ spec:
         rekorExternalUrl=""
         fulcioExternalUrl=""
         tufExternalUrl=""
+        buildIdentity=""
         buildIdentityRegexp=""
 
         # Read from the ConfigMap
@@ -120,6 +126,7 @@ spec:
               rekorExternalUrl=$(jq -r '.data.rekorExternalUrl // ""' "$KFLX_CONFIG_PATH")
               fulcioExternalUrl=$(jq -r '.data.fulcioExternalUrl // ""' "$KFLX_CONFIG_PATH")
               tufExternalUrl=$(jq -r '.data.tufExternalUrl // ""' "$KFLX_CONFIG_PATH")
+              buildIdentity=$(jq -r '.data.buildIdentity // ""' "$KFLX_CONFIG_PATH")
               buildIdentityRegexp=$(jq -r '.data.buildIdentityRegexp // ""' "$KFLX_CONFIG_PATH")
             else
               # Otherwise we ignore the reast of the ConfigMap
@@ -135,6 +142,7 @@ spec:
         echo -n "$rekorExternalUrl" > "$(results.rekorExternalUrl.path)"
         echo -n "$fulcioExternalUrl" > "$(results.fulcioExternalUrl.path)"
         echo -n "$tufExternalUrl" > "$(results.tufExternalUrl.path)"
+        echo -n "$buildIdentity" > "$(results.buildIdentity.path)"
         echo -n "$buildIdentityRegexp" > "$(results.buildIdentityRegexp.path)"
 
         # Output for troubleshooting/debugging
@@ -143,6 +151,7 @@ spec:
         echo "results.rekorExternalUrl: $rekorExternalUrl"
         echo "results.fulcioExternalUrl: $fulcioExternalUrl"
         echo "results.tufExternalUrl: $tufExternalUrl"
+        echo "results.buildIdentity: $buildIdentity"
         echo "results.buildIdentityRegexp: $buildIdentityRegexp"
       env:
         - name: configMapNamespace