Merge branch '215902-ci-job-jwt-handle-signing-key-issues' into 'master'

Handle issues with OpenID signing key when generating CI_JOB_JWT

See merge request gitlab-org/gitlab!30702

app/models/ci/build.rb

@@ -990,6 +990,8 @@ module Ci
 
         jwt = Gitlab::Ci::Jwt.for_build(self)
         variables.append(key: 'CI_JOB_JWT', value: jwt, public: false, masked: true)
+      rescue OpenSSL::PKey::RSAError => e
+        Gitlab::ErrorTracking.track_exception(e)
       end
     end
   end

changelogs/unreleased/215902-ci-job-jwt-handle-signing-key-issues.yml

+---
+title: Handle possible RSA key exceptions when generating CI_JOB_JWT
+merge_request: 30702
+author:
+type: changed

spec/models/ci/build_spec.rb

@@ -2350,6 +2350,16 @@ describe Ci::Build do
         end
       end
 
+      context 'when CI_JOB_JWT generation fails' do
+        it 'CI_JOB_JWT is not included' do
+          expect(Gitlab::Ci::Jwt).to receive(:for_build).and_raise(OpenSSL::PKey::RSAError, 'Neither PUB key nor PRIV key: not enough data')
+          expect(Gitlab::ErrorTracking).to receive(:track_exception)
+
+          expect { subject }.not_to raise_error
+          expect(subject.pluck(:key)).not_to include('CI_JOB_JWT')
+        end
+      end
+
       describe 'variables ordering' do
         context 'when variables hierarchy is stubbed' do
           let(:build_pre_var) { { key: 'build', value: 'value', public: true, masked: false } }