diff options
-rw-r--r-- | share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml | 8 | ||||
-rw-r--r-- | share/spack/gitlab/cloud_pipelines/configs/ci.yaml | 15 |
2 files changed, 23 insertions, 0 deletions
diff --git a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml index 5860210b28..2467463d81 100644 --- a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml +++ b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml @@ -69,6 +69,7 @@ default: .base-job: variables: SPACK_BUILDCACHE_DESTINATION: "s3://spack-binaries/${CI_COMMIT_REF_NAME}/${SPACK_CI_STACK_NAME}" + rules: - if: $CI_COMMIT_REF_NAME == "develop" # Pipelines on develop only rebuild what is missing from the mirror @@ -79,6 +80,7 @@ default: SPACK_REQUIRE_SIGNING: "True" AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "protected_binary_mirror" - if: $CI_COMMIT_REF_NAME =~ /^releases\/v.*/ # Pipelines on release branches always rebuild everything when: always @@ -90,6 +92,7 @@ default: SPACK_REQUIRE_SIGNING: "True" AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "protected_binary_mirror" - if: $CI_COMMIT_TAG =~ /^develop-[\d]{4}-[\d]{2}-[\d]{2}$/ || $CI_COMMIT_TAG =~ /^v.*/ # Pipelines on tags (release or dev snapshots) only copy binaries from one mirror to another when: always @@ -99,6 +102,7 @@ default: SPACK_COPY_BUILDCACHE: "s3://spack-binaries/${CI_COMMIT_REF_NAME}" AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "protected_binary_mirror" - if: $CI_COMMIT_REF_NAME =~ /^pr[\d]+_.*$/ # Pipelines on PR branches rebuild only what's missing, and do extra pruning when: always @@ -109,6 +113,7 @@ default: SPACK_PRUNE_UNTOUCHED_DEPENDENT_DEPTH: "1" AWS_ACCESS_KEY_ID: ${PR_MIRRORS_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PR_MIRRORS_AWS_SECRET_ACCESS_KEY} + OIDC_TOKEN_AUDIENCE: "pr_binary_mirror" .generate-common: stage: generate @@ -225,6 +230,9 @@ protected-publish: - curl -fLsS https://spack.github.io/keys/spack-public-binary-key.pub -o /tmp/spack-public-binary-key.pub - aws s3 cp /tmp/spack-public-binary-key.pub "${SPACK_COPY_BUILDCACHE}/build_cache/_pgp/spack-public-binary-key.pub" - spack buildcache update-index --keys "${SPACK_COPY_BUILDCACHE}" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" ######################################## # TEMPLATE FOR ADDING ANOTHER PIPELINE diff --git a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml index ff115c9c31..5f7e904ba5 100644 --- a/share/spack/gitlab/cloud_pipelines/configs/ci.yaml +++ b/share/spack/gitlab/cloud_pipelines/configs/ci.yaml @@ -32,6 +32,9 @@ ci: CI_JOB_SIZE: "default" CI_GPG_KEY_ROOT: /mnt/key # SPACK_VERBOSE_SCRIPT: "1" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - signing-job: image: { "name": "ghcr.io/spack/notary:latest", "entrypoint": [""] } @@ -41,6 +44,9 @@ ci: - /sign.sh - aws s3 sync --exclude "*" --include "*spec.json.sig*" /tmp ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache - aws s3 cp /tmp/public_keys ${SPACK_REMOTE_MIRROR_OVERRIDE}/build_cache/_pgp --recursive --exclude "*" --include "*.pub" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - copy-job: tags: ["service", "x86_64"] @@ -68,6 +74,9 @@ ci: CI_JOB_SIZE: "medium" KUBERNETES_CPU_REQUEST: "4000m" KUBERNETES_MEMORY_REQUEST: "16G" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - reindex-job: tags: ["service", "x86_64"] @@ -76,6 +85,9 @@ ci: CI_JOB_SIZE: "medium" KUBERNETES_CPU_REQUEST: "4000m" KUBERNETES_MEMORY_REQUEST: "16G" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - cleanup-job: tags: ["service"] @@ -83,6 +95,9 @@ ci: CI_JOB_SIZE: "small" KUBERNETES_CPU_REQUEST: "500m" KUBERNETES_MEMORY_REQUEST: "500M" + id_tokens: + GITLAB_OIDC_TOKEN: + aud: "${OIDC_TOKEN_AUDIENCE}" - noop-job: tags: ["service"] |