A passive authentication mechanism would leverage the existing GITHUB_TOKEN to authenticate/authorize existing workflows against chainloop. This would mean:

• GH Token should be verified against GH well-known public key
• Token claims would contain, at least, the related GH repository reference, and the GH workflow being run. Chainloop would check it against an allowlist of valid repositories for the organization.
• The GH workflow would map directly to a Chainloop workflow and contract.

Note that this would replace entirely the need of a CHAINLOOP_API_TOKEN. But it could still leverage ephemeral robot accounts for the attestation itself (see #752)