## Problem The GitLab Runner Helm chart sets `GOOGLE_APPLICATION_CREDENTIALS` globally in the entrypoint script when GCS cache credentials are configured. This breaks Workload Identity for the `docker+machine` executor because docker-machine subprocesses inherit this env var and authenticate with the GCS cache service account (which lacks compute permissions) instead of the Workload Identity service account. ## Affected Code [`templates/configmap.yaml#L45-49`](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/templates/configmap.yaml?ref_type=heads#L45-49): ```bash if [[ -f /secrets/gcs-application-credentials-file ]]; then export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file" fi ``` ## Impact VM creation fails with `403 Forbidden: Required 'compute.projects.get' permission`. Users must choose between GCS cache OR Workload Identity for VM creation. ## Workaround Remove `runners.cache.secretName` from Helm values. Trade-off: jobs run without cache. ## Proposed Fix Replace `GOOGLE_APPLICATION_CREDENTIALS` with `CACHE_GCS_CREDENTIALS_FILE` in the entrypoint script. This env var is scoped to the cache subsystem only, so docker-machine falls back to ADC (Workload Identity) for VM creation. ## Configuration - Helm chart version: 0.87.1 - GitLab Runner version: 18.11.1 - Executor: `docker+machine` ## Related - Parent: gitlab-com/gl-infra/production-engineering#28835