Add ID token claim for source visibility

Extracted from #404722 (comment 1462094036).

Similar to runner_environment, this would allow policies to target public projects only. See related issue describing npm's use case for blocking the publishing of public packages from private repositories.

• Add project_visibility JWT claim - !125787 (merged)