[Feature Flag] Rollout of project_secrets_cel_pipeline_auth

Summary

This issue is to roll out the feature on production, that is currently behind the project_secrets_cel_pipeline_auth feature flag.

Related MR: !223327 (merged)

Owners

• Most appropriate Slack channel to reach out to: #g_pipeline-security
• Best individual to reach out to: @iamricecake

Expectations

What are we expecting to happen?

This feature migrates project secrets pipeline JWT authentication from legacy bound_claims to CEL-based authentication, matching the group secrets implementation. When enabled:

• Pipeline authentication will use the CEL-based JWT role with /cel/ in the login path
• CEL program validates project_id, subject, scope, audience, and user_id claims
• Token policies are dynamically generated (global, environment, branch, combined)
• Authentication behavior should remain functionally identical to legacy auth

What can go wrong and how would we detect it?

Potential issues:

• Pipeline jobs fail to authenticate with secrets manager
• Secrets are not accessible during pipeline execution
• CEL validation logic rejects valid tokens
• Performance degradation in authentication

Detection:

• Monitor pipeline failure rates in Kibana/Grafana
• Check for authentication errors in OpenBao logs
• Monitor #g_pipeline-security Slack channel for user reports
• Review error rates in secrets manager client metrics