Add deployment tier to CI_JOB_JWT

Problem

Currently, CI_JOB_JWT has environment (environment name) and environment_protected (whether the environment is protected), but it doesn't have Deployment tier of environments. In order to fetch secretes from a value per deployment tier, we should add the tier in the payload.

Proposal

Add deployment_tier field to the JWT.

diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb
index 97774bc5e13..25cabc17c70 100644
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -58,10 +58,13 @@ def custom_claims
           job_id: build.id.to_s,
           ref: source_ref,
           ref_type: ref_type,
-          ref_protected: build.protected.to_s
+          ref_protected: build.protected.to_s,
+          deployment_tier: build.environment_deployment_tier
         }
 
         if environment.present?
+          fields[:deployment_tier] ||= environment.tier
+
           fields.merge!(
             environment: environment.name,
             environment_protected: environment_protected?.to_s

Edited Jun 13, 2022 by Chris Balane