Runner integration for group secrets (CI Config + JWT Claims)

Feature

CI pipelines can fetch group secrets using explicit source

Scope

Update CI config parser to support source: group/path syntax
Rails dispatch logic to handle group secret sources
Provide correct namespace path and JWT to runner
Support for multiple secret sources in same pipeline (project + multiple groups)

Deliverable

Pipelines can fetch group secrets using source: group/path syntax

Dependencies

CI YAML Example

build:
  secrets:
    REGISTRY_PASS:
      gitlab_secrets_manager:
        name: REGISTRY_PASS
        source: group/123

Notes

No runner-side changes needed - all logic in Rails
JWT changes are backward compatible
Runner just presents JWT and fetches from namespace path Rails provides

Related to &17904

Edited Jan 23, 2026 by Jayakrishnan Mallissery