Add --subject-claim flag to oidc request-token

[zero51]

Description

Adds a --subject-claim flag to buildkite-agent oidc request-token, allowing users to specify an immutable claim (e.g. cluster_id, pipeline_id) as the OIDC token's subject instead of the default compound subject.

This unblocks Azure federated identity credentials, which reject wildcard sub claims like commit:* that appear in the default compound subject.

Context

• Linear: PB-1331.
• Depends on: PB-1329 (API-side acceptance of subject_claim parameter).

Changes

New --subject-claim flag added, following the existing pattern of --audience, --claim and --aws-session-tag:

$ buildkite-agent oidc request-token --help
  --subject-claim value       An immutable claim to use as the token's subject (e.g. pipeline_id, cluster_id). If omitted, the default compound subject is used. [$BUILDKITE_OIDC_TOKEN_SUBJECT_CLAIM]

• api/oidc.go: added SubjectClaim field to OIDCTokenRequest and wired it into the JSON request body as subject_claim with omitempty.
• clicommand/oidc_request_token.go: added config field, CLI flag (with env var BUILDKITE_OIDC_TOKEN_SUBJECT_CLAIM) and pass-through to API request.
• api/oidc_test.go: added table-driven test case verifying SubjectClaim serialises correctly.

Testing

• Tests have run locally (with go test ./...).
• Code is formatted (with go tool gofumpt -extra -w .).

Disclosures / Credits

Amp (Claude) walked me through the codebase, wrote the implementation and test, and drafted this PR description. I added the EnvVar binding.

[SorchaAbel]

LGTM

[swebb]

tl;dr, I think this is good, but I'll let someone more familiar with the Agent and Go approve it.

I was initially nervous because the OIDC subject field is security sensitive; however, I think it's ok. The real dangerous work was in https://github.com/buildkite/buildkite/pull/28662.

This PR doesn't allow setting arbitrary values for subject. Rather, you can specify one of the field names (e.g., cluster_id, or pipeline_id) and Buildkite will populate the subject with only that field. This is a very simplified version of what Github provides. Initially I thought we would need compound keys to write a policy to match; however, all of the other claims (org slug, pipeline slug, branch, etc.) are still present in the OIDC token for the policy to match on, they are just no-longer in the subject field (if they were there already).

[DrJosh9000]

LGTM! ✅