CI: Add OIDC capability for deprecated CI (#42371)

This "breaks" the deprecated schema by allowing unknown attributes to the attributes section of the job types. The breaking change here is that deprecated stacks will no longer ignore attributes that are unknown but rather assume the new CI schema behavior of injecting them into the generated CI configuration. This change is required to secure authentication in Spack CI.
2024-01-31 08:05:57 -06:00 · 2024-01-31 08:05:57 -06:00 · 1f11b3844a
commit 1f11b3844a
parent e129a6f47a
2 changed files with 10 additions and 1 deletions
--- a/lib/spack/spack/schema/gitlab_ci.py
+++ b/lib/spack/spack/schema/gitlab_ci.py
@ -35,7 +35,7 @@

 runner_selector_schema = {
    "type": "object",
-    "additionalProperties": False,
+    "additionalProperties": True,
    "required": ["tags"],
    "properties": runner_attributes_schema_items,
 }
--- a/share/spack/gitlab/cloud_pipelines/stacks/deprecated/spack.yaml
+++ b/share/spack/gitlab/cloud_pipelines/stacks/deprecated/spack.yaml
@ -62,6 +62,9 @@ spack:
    - match:
      - '@:'
      runner-attributes:
+        id_tokens:
+          GITLAB_OIDC_TOKEN:
+            aud: "${OIDC_TOKEN_AUDIENCE}"
        tags: [spack, public, small, x86_64]
        variables:
          CI_JOB_SIZE: small
@ -69,6 +72,9 @@ spack:
          KUBERNETES_CPU_REQUEST: 500m
          KUBERNETES_MEMORY_REQUEST: 500M
    signing-job-attributes:
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"
      image: {name: 'ghcr.io/spack/notary:latest', entrypoint: ['']}
      tags: [aws]
      script:
@ -80,6 +86,9 @@ spack:
        --recursive --exclude "*" --include "*.pub"

    service-job-attributes:
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"
      image: ghcr.io/spack/tutorial-ubuntu-18.04:v2021-11-02
      before_script:
      - . "./share/spack/setup-env.sh"