Secure JWT token Default Behavior

Problem to Solve

There are three methods to use a JSON web token

1. old method using the CI_JOB_JWT (secrets: keyword)
2. Alpha version using the CI_JOB_JWT_V2
3. Production-ready OIDC using the following syntax

auth_job:
  secrets:
    VAULT_JWT_1:
      id_token:  
        aud: 'devs'
    STAGING_DATABASE_PASSWORD: # VAULT_JWT_1 is the token to be used
      vault: staging/db/password@ops

To use the production-ready OIDC a project setting was introduced to avoid having a ~breaking change by default it should behave more securely with new projects without breaking compatibility with existing projects.

Proposal

• Always use the feature like the setting is enabled(3rd option) also for existing projects that have this feature disabled
• Remove ability to toggle this feature on/off leaving the ability to add/remove projects to the job token scope

Current Status

As we iterate on outbound permissions to make it easier to add projects faster than one at a time we'll re-consider making this the default behavior in a major milestone.

Implementation

1. Enable OIDC setting for all projects

Per #391886 (comment 1286846867):

The toggle being referred to in this issue is stored in the project_ci_cd_settings table as opt_in_jwt. The 2 main uses of it in the backend are in the EE::BuildRunnerPresenter and the CI::Build model.

We can also remove the opt_in_jwt field from project_ci_cd_settings

This means we need to accomplish the following for the backend part:

• Remove all references of ci_cd_settings.opt_in_jwt? in the codebase
• Drop the column project_ci_cd_settings#opt_in_jwt, this is a multi step process in this issue we will only track ignore_column.

2. Remove toggle in the settings frontend-weight2

Issue: #391886 (closed)

After the setting is enabled for all projects, we can remove this toggle from the settings. (Settings > CI/CD > Token Access). This will be a cleanup of the code added from !92711 (merged).