Proposal to move global and command flags to go-witness

[matglas]

Problem

Witness relies as a dependency on go-witness. Some of the commands/attestors that are run are dependent on flags that are set thru global flag on the CLI. This separation makes it hard to introduce new flag or alter existing flags because witness first needs to update its dependency to the latest release of go-witness before it can merge new flags into the repo.

This happens because global flags call on options like WithX on different attestors etc.

Proposal

I believe it would be very helpful to move the registration of global or command flags to the go-witness library. This could be in a internal/cli package that allows us to make clear separation between library and facilitation of the 'companion' cli.

[matglas]

With a bit of work on the registry (https://github.com/in-toto/go-witness/tree/main/registry) its possible to add global options too probably. And add them to the context that is passed around.

[mikhailswift]

One of the primary reasons Witness and go-witness were broken into separate go modules was to keep go-witness's dependencies slim. For instance, a developer using go-witness as a library shouldn't need to have spf13/cobra or logrus as transitive dependencies if they weren't using those CLI/logging libraries. This is the same reason why go-witness uses a logging interface for developers to provide their own logging implementation.

I'm not opposed to reorganizing things to make the development of witness and go-witness simpler when it comes to this, but I do think those goals are important. I'm unclear on how moving global options to go-witness solves the problem of having to update go-witness in Witness when options change/get added, but I could be missing something.

[matglas]

I am all for keeping it slim and making it possible to use it as a library. Thats why I would like to use the approach that attestors already have to register flags. The flags that I am thinking of are 'general' flags that set can be used in the AttestationContext. A flag like we use for dirhash but also the new once for environment should be used to configure a object that is set on the AttestationContext so that multiple attestors can use it. It does not produce an attestion itself.