From 1f11b3844afacd4e190ffe4db7d3241bb298c451 Mon Sep 17 00:00:00 2001
From: kwryankrattiger <80296582+kwryankrattiger@users.noreply.github.com>
Date: Wed, 31 Jan 2024 08:05:57 -0600
Subject: [PATCH] CI: Add OIDC capability for deprecated CI (#42371)

This "breaks" the deprecated schema by allowing unknown attributes
to the attributes section of the job types. The breaking change here is
that deprecated stacks will no longer ignore attributes that are unknown
but rather assume the new CI schema behavior of injecting them into the
generated CI configuration. This change is required to secure
authentication in Spack CI.
---
 lib/spack/spack/schema/gitlab_ci.py                      | 2 +-
 .../gitlab/cloud_pipelines/stacks/deprecated/spack.yaml  | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/spack/spack/schema/gitlab_ci.py b/lib/spack/spack/schema/gitlab_ci.py
index c95cd674d9d..85acd9cc512 100644
--- a/lib/spack/spack/schema/gitlab_ci.py
+++ b/lib/spack/spack/schema/gitlab_ci.py
@@ -35,7 +35,7 @@
 
 runner_selector_schema = {
     "type": "object",
-    "additionalProperties": False,
+    "additionalProperties": True,
     "required": ["tags"],
     "properties": runner_attributes_schema_items,
 }
diff --git a/share/spack/gitlab/cloud_pipelines/stacks/deprecated/spack.yaml b/share/spack/gitlab/cloud_pipelines/stacks/deprecated/spack.yaml
index 17d5447c4d1..017c3d9c70f 100644
--- a/share/spack/gitlab/cloud_pipelines/stacks/deprecated/spack.yaml
+++ b/share/spack/gitlab/cloud_pipelines/stacks/deprecated/spack.yaml
@@ -62,6 +62,9 @@ spack:
     - match:
       - '@:'
       runner-attributes:
+        id_tokens:
+          GITLAB_OIDC_TOKEN:
+            aud: "${OIDC_TOKEN_AUDIENCE}"
         tags: [spack, public, small, x86_64]
         variables:
           CI_JOB_SIZE: small
@@ -69,6 +72,9 @@ spack:
           KUBERNETES_CPU_REQUEST: 500m
           KUBERNETES_MEMORY_REQUEST: 500M
     signing-job-attributes:
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"
       image: {name: 'ghcr.io/spack/notary:latest', entrypoint: ['']}
       tags: [aws]
       script:
@@ -80,6 +86,9 @@ spack:
         --recursive --exclude "*" --include "*.pub"
 
     service-job-attributes:
+      id_tokens:
+        GITLAB_OIDC_TOKEN:
+          aud: "${OIDC_TOKEN_AUDIENCE}"
       image: ghcr.io/spack/tutorial-ubuntu-18.04:v2021-11-02
       before_script:
       - . "./share/spack/setup-env.sh"