Configure additional certificate extensions for Buildkite

The Buildkite Issuer was added in sigstore#890, prior to the efforts to standardise
certificate extensions for CI providers, and sigstore#1074 calls for the Buildkite
issuer to be updated to use the new extensions (where applicable).

This is an early attempt to make those changes. I initially started these in sigstore#1307,
however is is a new swing at it using the new CIProvider issuer (see sigstore#1729 and sigstore#1743).

I've added the extensions that make the most sense in a Buildkite context, like
RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the
other extensions don't apply because we're not a code host as well, or need
further discussion.

I have not added tests yet. This is my first contribution to fulcio and I'm
keen to confirm I'm heading in the right direction before adding tests.
However, I have tested this locally with a Buildkite agent and OIDC token, and
the certificate was issued as expected.

I started a local fulcio like this:

    $ go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/identity/config.yaml

... and signed git commits with gitsign. The relevant bits of the
certificates look like:

    git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
    ...
    X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature
    X509v3 Extended Key Usage:
        Code Signing
    X509v3 Subject Key Identifier:
        CE:BC:6A:68:02:C1:00:E9:6E:CE:F6:1C:19:36:08:DC:4B:F0:D5:45
    X509v3 Authority Key Identifier:
        6C:D8:1D:E8:94:96:6F:B5:2F:D6:15:44:A2:11:B5:1B:BF:A4:A4:E9
    X509v3 Subject Alternative Name: critical
        URI:https://buildkite.com/yob-opensource/oidc-signing-experiment
    1.3.6.1.4.1.57264.1.1:
        https://agent.buildkite.com
    1.3.6.1.4.1.57264.1.8:
        ..https://agent.buildkite.com
    1.3.6.1.4.1.57264.1.13:
        .(078a6dd4a32fa40592c21a40aedaf27105503140
    1.3.6.1.4.1.57264.1.21:
        .xhttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/%!s(float64=42)#01942921-7883-409b-81d0-3f6b20bcdabf

config/identity/config.yaml

@@ -236,4 +236,13 @@ ci-issuer-metadata:
   *buildkite-type:
     default-template-values:
       url: "https://buildkite.com"
-    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}"
+    extension-templates:
+      # Link to the specific Buildkite job that the OIDC token was generated from
+      run-invocation-uri: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}/builds/{{.build_number}}#{{.job_id}}"
+      # TODO Was the job executed on Buildkite operated compute or customer hosted compute? (valid values: self-hosted, buildkite-hosted)
+      # runner-environment: "runner_environment"
+      # The git sha that job was running, available in the `build_commit` claim
+      source-repository-digest: "build_commit"
+      # TODO build_source: Event that triggered this workflow run. (valid values: api, ui, webhook, trigger_job, schedule)
+      # build-trigger: "build_source"
+    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" # seems correct, do we still need the code in pkg/identity/buildkite/principal.go ?