From c1ed6579e8a5837f483cc876523c928e8a2f65df Mon Sep 17 00:00:00 2001
From: Ryan Krattiger <ryan.krattiger@kitware.com>
Date: Fri, 11 Oct 2024 13:12:06 -0500
Subject: [PATCH] Change how `CI_OIDC_REQUIRED` works

Add runner and variable documentation in README
---
 k8s/production/runners/README.md              | 29 +++++++++++++++
 .../runners/public/graviton/2/release.yaml    | 35 +++++++++---------
 .../runners/public/x86_64/v2/release.yaml     | 36 ++++++++++---------
 3 files changed, 67 insertions(+), 33 deletions(-)
 create mode 100644 k8s/production/runners/README.md

diff --git a/k8s/production/runners/README.md b/k8s/production/runners/README.md
new file mode 100644
index 000000000..f3c0e00e7
--- /dev/null
+++ b/k8s/production/runners/README.md
@@ -0,0 +1,29 @@
+# Gitlab runners
+
+There are three types of runners with increasing levels of access to cluster secrets.
+
+1. `public`
+2. `protected`
+3. `signing`
+
+## Public & Protected runners
+
+The `public` and `protected` runners provide multiple architectures and base OSs that run across a range of AWS nodes.
+
+* Windows
+  * `x86_64_v2`
+* Linux
+  * `x86_64_v2`
+  * `x86_64_v3`
+  * `x86_64_v4`
+  * `graviton2`
+  * `graviton3`
+
+### Special Variables
+
+* `CI_OIDC_REQUIRED`: available to be set for runners with the `service` tag.
+  This variable can be used to skip OIDC configuration.
+
+## Signing Runners
+
+The `signing` runners use either `x86_64_v3` or `x86_64_v4` Linux machines.
diff --git a/k8s/production/runners/public/graviton/2/release.yaml b/k8s/production/runners/public/graviton/2/release.yaml
index 8003e2b7f..813314491 100644
--- a/k8s/production/runners/public/graviton/2/release.yaml
+++ b/k8s/production/runners/public/graviton/2/release.yaml
@@ -53,26 +53,29 @@ spec:
       config: |
         [[runners]]
           pre_build_script = """
-          echo 'Executing Spack pre-build setup script'
+          if [ ${CI_OIDC_REQUIRED:-1} == 1 ]; then
+            echo 'Executing Spack pre-build setup script'
 
-          for cmd in "${PY3:-}" python3 python; do
-            if command -v > /dev/null "$cmd"; then
-              export PY3="$(command -v "$cmd")"
-              break
-            fi
-          done
+            for cmd in "${PY3:-}" python3 python; do
+              if command -v > /dev/null "$cmd"; then
+                export PY3="$(command -v "$cmd")"
+                break
+              fi
+            done
 
-          if [ -z "${PY3:-}" ]; then
-            echo "Unable to find python3 executable"
-            exit ${CI_OIDC_REQUIRED:-1}
-          fi
 
-          $PY3 -c "import urllib.request;urllib.request.urlretrieve('https://raw.githubusercontent.com/spack/spack-infrastructure/main/scripts/gitlab_runner_pre_build/pre_build.py', 'pre_build.py')"
-          $PY3 pre_build.py > envvars
+            if [ -z "${PY3:-}" ]; then
+              echo "Unable to find python3 executable"
+              exit 1
+            fi
 
-          . ./envvars
-          rm -f envvars
-          unset GITLAB_OIDC_TOKEN
+            $PY3 -c "import urllib.request;urllib.request.urlretrieve('https://raw.githubusercontent.com/spack/spack-infrastructure/main/scripts/gitlab_runner_pre_build/pre_build.py', 'pre_build.py')"
+            $PY3 pre_build.py > envvars
+
+            . ./envvars
+            rm -f envvars
+            unset GITLAB_OIDC_TOKEN
+          fi
           """
 
           output_limit = 20480
diff --git a/k8s/production/runners/public/x86_64/v2/release.yaml b/k8s/production/runners/public/x86_64/v2/release.yaml
index 41bea40f0..d9d18a411 100644
--- a/k8s/production/runners/public/x86_64/v2/release.yaml
+++ b/k8s/production/runners/public/x86_64/v2/release.yaml
@@ -53,26 +53,28 @@ spec:
       config: |
         [[runners]]
           pre_build_script = """
-          echo 'Executing Spack pre-build setup script'
-
-          for cmd in "${PY3:-}" python3 python; do
-            if command -v > /dev/null "$cmd"; then
-              export PY3="$(command -v "$cmd")"
-              break
+          if [ ${CI_OIDC_REQUIRED:-1} == 1 ]; then
+            echo 'Executing Spack pre-build setup script'
+
+            for cmd in "${PY3:-}" python3 python; do
+              if command -v > /dev/null "$cmd"; then
+                export PY3="$(command -v "$cmd")"
+                break
+              fi
+            done
+
+            if [ -z "${PY3:-}" ]; then
+              echo "Unable to find python3 executable"
+              exit 1
             fi
-          done
-
-          if [ -z "${PY3:-}" ]; then
-            echo "Unable to find python3 executable"
-            exit ${CI_OIDC_REQUIRED:-1}
-          fi
 
-          $PY3 -c "import urllib.request;urllib.request.urlretrieve('https://raw.githubusercontent.com/spack/spack-infrastructure/main/scripts/gitlab_runner_pre_build/pre_build.py', 'pre_build.py')"
-          $PY3 pre_build.py > envvars
+            $PY3 -c "import urllib.request;urllib.request.urlretrieve('https://raw.githubusercontent.com/spack/spack-infrastructure/main/scripts/gitlab_runner_pre_build/pre_build.py', 'pre_build.py')"
+            $PY3 pre_build.py > envvars
 
-          . ./envvars
-          rm -f envvars
-          unset GITLAB_OIDC_TOKEN
+            . ./envvars
+            rm -f envvars
+            unset GITLAB_OIDC_TOKEN
+          fi
           """
 
           output_limit = 20480