Scorecard action fails when using fulcio - in prod sometimes

[naveensrinivasan]

Description

When signing scorecard results, the prod fulcio fails.

Retrieving signed certificate...

        Note that there may be personally identifiable information associated with this signed artifact.
        This may include the email address associated with the account with which you authenticate.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
Non-interactive mode detected, using device flow.
Enter the verification code SNGK-RDRS in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=SNGK-RDRS
Code will be valid for 300 seconds
2022/12/10 06:18:37 error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert: error obtaining token: expired_token

https://github.com/ossf-tests/scorecard-action/actions/runs/3662971555/jobs/6192441160

[cpanato]

looks like in this case that is missing the GITHUB_TOKEN that should contain the OIDC permission, looks like that job is using SCORECARD_READ_TOKEN

[bobcallaway]

Right - CI runs on Github Actions shouldn't be using the device code flow, but rather using ambient OIDC tokens

[naveensrinivasan]

Sounds good.