What?

Changes that GitLab is making to its runner authentication-token framework are requiring changes in the way that Jacamar runners manage these tokens.  In particular, Jacamar needs to switch from the soon to be removed CI_JOB_JWT tokens and onto id_tokens.  Use of id_tokens will become mandatory under GitLab 17.0 (May 2024).  LC has developed a GitLab CI template to ease the transition, but users may also directly include id_tokens in their CI jobs if they prefer not to use a template.

When?

We will be making a change to our Jacamar configurations on Monday, April 8th.  At this point, users will receive warnings in CI jobs to enable id_tokens.  Jobs will continue to run while GitLab is on version 16.x.  Once GitLab is upgraded to 17.0 in May 2024, jobs without id_tokens will cease working.

Who?

If you are running CI/CD jobs on any of the LC GitLab instances (CZ, RZ, SCF) then you will need to perform the step outlined below.

How?

The following include directive needs to be added to all your gitlab-ci.yml files:

include:
  - project: 'lc-templates/id_tokens'
    file: 'id_tokens.yml'

Once we make the change to our LC Jacamar runner configration files to enable the use of id_tokens, your jobs will still run if you leave out the above include directive, however you will see the following warning in your job logs:

No id_token found on SITE_ID_TOKEN variable. Please update your CI job to include the following:
  id_tokens:
     SITE_ID_TOKEN:
        aud: https://lc.llnl.gov/gitlab

After we upgrade to GitLab 17.0, however, such jobs will no longer run.