Within CD pipelines, we often need to pull secrets from Doppler using a long lived DOPPLER_TOKEN. This token is long lived and gets stored in a pipeline environment variable. CI/CD vendors are being increasingly targeted with breaches leaking secrets like these. Last year CircleCI had an incident where they advised all their customers to rotate secrets stored in pipeline environment variables. To mitigate breaches of this nature it would be great if Doppler could provide support for generating an ephemeral Doppler token using OIDC. This would mean we would no longer need long long lived credentials in CD pipelines and could generate short lived tokens to retrieve secrets from Doppler where needed.
