## Problem Currently, `CI_JOB_JWT` has `environment` (environment name) and `environment_protected` (whether the environment is protected), but it doesn't have [Deployment tier of environments](https://docs.gitlab.com/ee/ci/environments/#deployment-tier-of-environments). In order to fetch secretes from a value per deployment tier, we should add the tier in the payload. ## Proposal Add `deployment_tier` field to the JWT. ```diff diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb index 97774bc5e13..25cabc17c70 100644 --- a/lib/gitlab/ci/jwt.rb +++ b/lib/gitlab/ci/jwt.rb @@ -58,10 +58,13 @@ def custom_claims job_id: build.id.to_s, ref: source_ref, ref_type: ref_type, - ref_protected: build.protected.to_s + ref_protected: build.protected.to_s, + deployment_tier: build.environment_deployment_tier } if environment.present? + fields[:deployment_tier] ||= environment.tier + fields.merge!( environment: environment.name, environment_protected: environment_protected?.to_s ```