add support for circleci --root-issuer in detect_circleci

[meeech]

Opening this as a place to discuss. I will open the PR assuming I get 👍🏼

In looking into pypi-attestations, I see it relies on this package.

This package does the ambient discovery for circleci. circleci introduced support for the --root-issuer flag to force the iss to be oidc.circleci.com

Is there any issue with adding support for this with a root_issuer bool option?
since detect actually executes the command to generate the token.

def detect_circleci(audience: str, root_issuer: bool) -> str | None:
...

I'll then open a separate pr for the sigstore package to set this flag (tbh still tracing my way through the parts, but feels like this is the source where we should at least expose the option to begin with)

[di]

I think I'm ok with it, but my question would be whether we should always default to the root issuer instead (and maybe provide the ability to use the non-route issuer)? I think it would be easier than having to plumb this through from a pypi-attestations invocation.

[woodruffw]

Yeah, I think I agree with @di that we should change the default here; IMO the issuer variance was unintentional (in this package) to begin with, and keeping it fixed would make us consistent with all of the other backends here!

[meeech]

definitely down to make this the default - was concerned about backwards compat for anyone already relying on this package.

[di]

I think it's ok!

[meeech]

aight pr is up!

[meeech]

@di @woodruffw when do you usually do a release? will close this after its out

[di]

@meeech prepped in #440