ci/container: set up S3_JWT_FILE also for container jobs

Set up "${S3_JWT_FILE}" also for container jobs, this can be useful in
case some jobs want to save something to S3.

Note that for container jobs setting the file /s3_swt in the
`default:before_script` section would not work: this wold be "too early"
because, when using ci-templates, the cbuild invocation switches the
root filesystem before executing FDO_DISTRIBUTION_EXEC, resulting in the
file becoming unavailable after the switch.

So set up the file exactly in FDO_DISTRIBUTION_EXEC, before launching
the actual container script.

Do this using a new trampoline script
.gitlab-ci/container/container_job_trampoline.sh so that in the future
other tasks common to all container jobs can be added there.

Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31093>

.gitlab-ci.yml

@@ -68,6 +68,9 @@ variables:
           rm download-git-cache.sh
           set +o xtrace
   S3_JWT_FILE: /s3_jwt
+  S3_JWT_FILE_SCRIPT: |-
+      echo -n '${S3_JWT}' > '${S3_JWT_FILE}' &&
+      unset CI_JOB_JWT S3_JWT  # Unsetting vulnerable env variables
   S3_HOST: s3.freedesktop.org
   # This bucket is used to fetch the kernel image
   S3_KERNEL_BUCKET: mesa-rootfs
@@ -112,9 +115,8 @@ default:
     - >
       export SCRIPTS_DIR=$(mktemp -d) &&
       curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" &&
-      . ${SCRIPTS_DIR}/setup-test-env.sh &&
-      echo -n "${S3_JWT}" > "${S3_JWT_FILE}" &&
-      unset CI_JOB_JWT S3_JWT  # Unsetting vulnerable env variables
+      . ${SCRIPTS_DIR}/setup-test-env.sh
+    - eval "$S3_JWT_FILE_SCRIPT"
 
   after_script:
     # Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338

.gitlab-ci/container/container_job_trampoline.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# When changing this file, check if the *_BUIL_TAG tags in
+# .gitlab-ci/image-tags.yml need updating.
+
+set -eu
+
+# Early check for required env variables, relies on `set -u`
+: "$S3_JWT_FILE_SCRIPT"
+
+if [ -z "$1" ]; then
+  echo "usage: $(basename "$0") <CONTAINER_CI_JOB_NAME>" 1>&2
+  exit 1
+fi
+
+CONTAINER_CI_JOB_NAME="$1"
+
+# Tasks to perform before executing the script of a container job
+eval "$S3_JWT_FILE_SCRIPT"
+unset S3_JWT_FILE_SCRIPT
+
+bash ".gitlab-ci/container/${CONTAINER_CI_JOB_NAME}.sh"

.gitlab-ci/container/gitlab-ci.yml

@@ -57,7 +57,7 @@
     - .incorporate-templates-commit
   variables:
     FDO_REPO_SUFFIX: $CI_JOB_NAME
-    FDO_DISTRIBUTION_EXEC: 'bash .gitlab-ci/container/${CI_JOB_NAME}.sh'
+    FDO_DISTRIBUTION_EXEC: 'bash .gitlab-ci/container/container_job_trampoline.sh "${CI_JOB_NAME}"'
     # no need to pull the whole repo to build the container image
     GIT_STRATEGY: none