Commit fd353bc9 authored by Alexis Deruelle's avatar Alexis Deruelle
Browse files

ci: fix service variable visibility 

We need to explicitly set GCP_OIDC_* to be available in service
container as they can't directly access pipeline variables [1].

We also need to use intermediate variable names as substitution does
not seem to work if we try to set a variable with a reference to a
variable with the same name. Could not find good reference about the
issue though.

Fixes test-token-succeeds job failure

[1] https://docs.gitlab.com/ee/ci/variables/index.html#in-service-containers
parent 144ace40

.gitlab-ci.yml

+10 −2
Original line number Diff line number Diff line
@@ -22,8 +22,8 @@ stages: 
variables:

  PYTHON_IMAGE: "registry.hub.docker.com/library/python:3.11"

  PYTHON_SBOM_DISABLED: "true"

  GCP_OIDC_PROVIDER: $GCP_OIDC_PROVIDER

  GCP_OIDC_ACCOUNT: $GCP_OIDC_ACCOUNT

  VALID_GCP_OIDC_PROVIDER: $GCP_OIDC_PROVIDER

  VALID_GCP_OIDC_ACCOUNT: $GCP_OIDC_ACCOUNT

  DOCKER_BUILD_ARGS: "--cache-ttl=6h"

  DOCKER_PROD_PUBLISH_STRATEGY: "auto"
@@ -127,6 +127,14 @@ test-token-succeeds: 
  extends: .test-base

  variables:

    CI_JOB_JWT_V2: $CI_JOB_JWT_V2



  services:

    - name: "$DOCKER_SNAPSHOT_IMAGE"

      alias: "gcp-auth-provider"

      variables:

        GCP_OIDC_PROVIDER: $VALID_GCP_OIDC_PROVIDER

        GCP_OIDC_ACCOUNT: $VALID_GCP_OIDC_ACCOUNT



  script:

    - |

      response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://gcp-auth-provider/token")