Fix JWT token expiration when memoized before timeout is set
What does this MR do and why?
The JWT job token (encoded_jwt) is memoized on the build object. When
pre_assign_runner_checks runs before the job transitions to running,
it can trigger token generation via:
-
has_valid_build_dependencies?->scoped_variables->kubernetes_variables_from_job -
secrets_provider_not_found?(EE) ->scoped_variables->kubernetes_variables_from_job
The kubernetes_variables_from_job method calls job.try(:token), which
memoizes the JWT with the current timeout_value. However, at this point
update_timeout_state hasn't run yet (it runs during pending->running
transition), so timeout_value may be nil, resulting in a JWT with only
~6 minutes TTL (60s default + 5min leeway) instead of the job's actual
timeout.
This fix clears the encoded_jwt memoization in present_build! (which
runs after the job has transitioned to running and timeout is set),
ensuring the token is regenerated with the correct expiration.
This particularly affects jobs with needs: dependencies, as they are
more likely to trigger the dependency validation code path.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
Minimal reproducer:
# .gitlab-ci.yml
setup:
script: echo "Setup done"
trigger-child:
trigger:
include: child.yml
strategy: dependand child pipeline:
# child.yml
child-job:
image: ruby
needs:
- pipeline: $CI_UPSTREAM_PIPELINE_ID
job: setup
script: ruby -e "require 'base64'; puts Base64.encode64(ENV['CI_JOB_TOKEN'])"
timeout: 1hThen copy the encoded string into a variable s in a gdk rails console and run:
jwt = ::Ci::JobToken::Jwt.decode(Base64.decode64(s)).instance_variable_get(:@jwt)
puts (Time.at(jwt.payload["exp"]) - Time.now) / 60Expected results:
- On
master: You get under 6 minutes - On this branch: You get on the order of 60 minutes (depending on how quick you are)
This should be over 60 because we have a 1h timeout and then some leeway. But on master, I get just 6 minutes!
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.