gitlab-ci-variables-secrets

GitLab CI - Variables & Secrets

Configure CI/CD variables and manage secrets securely in GitLab pipelines.

Variable Types

Predefined Variables

build:
  script:
    - echo "Branch: $CI_COMMIT_BRANCH"
    - echo "Commit: $CI_COMMIT_SHA"
    - echo "Pipeline: $CI_PIPELINE_ID"
    - echo "Project: $CI_PROJECT_NAME"
    - echo "Registry: $CI_REGISTRY_IMAGE"

Custom Variables

variables:
  NODE_ENV: production
  DATABASE_URL: "postgres://localhost/app"

build:
  variables:
    BUILD_TARGET: dist
  script:
    - npm run build --target=$BUILD_TARGET

Variable Scopes

Global Variables

variables:
  GLOBAL_VAR: "available everywhere"

Job-Level Variables

deploy:
  variables:
    DEPLOY_ENV: production
  script:
    - ./deploy.sh $DEPLOY_ENV

Environment-Scoped Variables

Configure in GitLab UI: Settings > CI/CD > Variables

Scope to specific environments (production, staging)
Scope to specific branches (main, develop)

Protected and Masked Variables

In gitlab-ci.yml

variables:
  PUBLIC_KEY:
    value: "pk_test_xxx"
    description: "Stripe public key"

In GitLab UI

Set variables with:

Protected: Only available on protected branches/tags
Masked: Hidden in job logs (requires specific format)
Expanded: Allow variable references within value

File-Type Variables

deploy:
  script:
    - cat $KUBECONFIG  # File variable contents
    - kubectl apply -f deployment.yaml

External Secret Providers

HashiCorp Vault

job:
  secrets:
    DATABASE_PASSWORD:
      vault:
        engine:
          name: kv-v2
          path: secret
        field: password
        path: production/db

Azure Key Vault

job:
  secrets:
    API_KEY:
      azure_key_vault:
        name: my-api-key
        version: latest

AWS Secrets Manager

job:
  secrets:
    AWS_SECRET:
      aws_secrets_manager:
        name: prod/api-key
        version_id: latest

OIDC Authentication

deploy:aws:
  id_tokens:
    AWS_TOKEN:
      aud: https://gitlab.com
  script:
    - >
      aws sts assume-role-with-web-identity
      --role-arn $AWS_ROLE_ARN
      --web-identity-token $AWS_TOKEN

Best Practices

Never hardcode secrets in .gitlab-ci.yml
Use protected variables for production credentials
Mask sensitive values to prevent log exposure
Prefer OIDC over long-lived credentials
Scope variables to minimum required environments
Use file-type variables for certificates and keys

GitLab CI - Variables & Secrets

Configure CI/CD variables and manage secrets securely in GitLab pipelines.

Variable Types

Predefined Variables

build:
  script:
    - echo "Branch: $CI_COMMIT_BRANCH"
    - echo "Commit: $CI_COMMIT_SHA"
    - echo "Pipeline: $CI_PIPELINE_ID"
    - echo "Project: $CI_PROJECT_NAME"
    - echo "Registry: $CI_REGISTRY_IMAGE"

Custom Variables

variables:
  NODE_ENV: production
  DATABASE_URL: "postgres://localhost/app"

build:
  variables:
    BUILD_TARGET: dist
  script:
    - npm run build --target=$BUILD_TARGET

Variable Scopes

Global Variables

variables:
  GLOBAL_VAR: "available everywhere"

Job-Level Variables

deploy:
  variables:
    DEPLOY_ENV: production
  script:
    - ./deploy.sh $DEPLOY_ENV

Environment-Scoped Variables

Configure in GitLab UI: Settings > CI/CD > Variables

Scope to specific environments (production, staging)
Scope to specific branches (main, develop)

Protected and Masked Variables

In gitlab-ci.yml

variables:
  PUBLIC_KEY:
    value: "pk_test_xxx"
    description: "Stripe public key"

In GitLab UI

Set variables with:

Protected: Only available on protected branches/tags
Masked: Hidden in job logs (requires specific format)
Expanded: Allow variable references within value

File-Type Variables

deploy:
  script:
    - cat $KUBECONFIG  # File variable contents
    - kubectl apply -f deployment.yaml

External Secret Providers

HashiCorp Vault

job:
  secrets:
    DATABASE_PASSWORD:
      vault:
        engine:
          name: kv-v2
          path: secret
        field: password
        path: production/db

Azure Key Vault

job:
  secrets:
    API_KEY:
      azure_key_vault:
        name: my-api-key
        version: latest

AWS Secrets Manager

job:
  secrets:
    AWS_SECRET:
      aws_secrets_manager:
        name: prod/api-key
        version_id: latest

OIDC Authentication

deploy:aws:
  id_tokens:
    AWS_TOKEN:
      aud: https://gitlab.com
  script:
    - >
      aws sts assume-role-with-web-identity
      --role-arn $AWS_ROLE_ARN
      --web-identity-token $AWS_TOKEN

Best Practices

Never hardcode secrets in .gitlab-ci.yml
Use protected variables for production credentials
Mask sensitive values to prevent log exposure
Prefer OIDC over long-lived credentials
Scope variables to minimum required environments
Use file-type variables for certificates and keys

gitlab-ci-variables-secrets

Tool Access

Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

gitlab-ci-variables-secrets

Tool Access

Preview

SKILL.md

GitLab CI - Variables & Secrets

Variable Types

Predefined Variables

Custom Variables

Variable Scopes

Global Variables

Job-Level Variables

Environment-Scoped Variables

Protected and Masked Variables

In gitlab-ci.yml

In GitLab UI

File-Type Variables

External Secret Providers

HashiCorp Vault

Azure Key Vault

AWS Secrets Manager

OIDC Authentication

Best Practices

Similar Skills

Help us improve

GitLab CI - Variables & Secrets

Variable Types

Predefined Variables

Custom Variables

Variable Scopes

Global Variables

Job-Level Variables

Environment-Scoped Variables

Protected and Masked Variables

In gitlab-ci.yml

In GitLab UI

File-Type Variables

External Secret Providers

HashiCorp Vault

Azure Key Vault

AWS Secrets Manager

OIDC Authentication

Best Practices