fix(ci): restore OIDC setup for code-sign job

Bohdan Parkhomchukrequested to merge
bohdanp/fix-code-sign-oidc into main

The v0.59.0 release pipeline failed at the local-cli-code-sign job because the inherited Google OIDC setup never ran — leaving the Cloud HSM signer with no credentials.

Why

The job extends .google-oidc:auth, which writes a Workload Identity Federation credentials file to /var/run/secrets/gitlab/ and exports GOOGLE_APPLICATION_CREDENTIALS from its own before_script. When !1325 (merged) added its own before_script: to the same job, GitLab CI replaced the inherited one rather than merging — so no credentials were written, and the first sign call aborted with Invalid Application Default Credentials.

Behavior

Before fix (v0.59.0 tag) After fix
OIDC credentials file not written written by .google-oidc:auth
GOOGLE_APPLICATION_CREDENTIALS unset exported
First darwin sign call fails with PKCS#11 init error succeeds
Tag pipeline fails, no signed artifacts ship publishes signed artifacts

The clobbered before_script also tried apt-get install zip unzip, which would never have worked — the code-signer:1.1.0 image is RHEL 8.10. The image already ships zip and unzip at /usr/bin/, so we can simply drop the override.

Relates to #569 (closed)

Merge request reports