gitlab-ci-variables-secrets

GitLab CI - Variables & Secrets

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "gitlab-ci-variables-secrets" with this command: npx skills add thebushidocollective/han/thebushidocollective-han-gitlab-ci-variables-secrets

GitLab CI - Variables & Secrets

Configure CI/CD variables and manage secrets securely in GitLab pipelines.

Variable Types

Predefined Variables

build: script: - echo "Branch: $CI_COMMIT_BRANCH" - echo "Commit: $CI_COMMIT_SHA" - echo "Pipeline: $CI_PIPELINE_ID" - echo "Project: $CI_PROJECT_NAME" - echo "Registry: $CI_REGISTRY_IMAGE"

Custom Variables

variables: NODE_ENV: production DATABASE_URL: "postgres://localhost/app"

build: variables: BUILD_TARGET: dist script: - npm run build --target=$BUILD_TARGET

Variable Scopes

Global Variables

variables: GLOBAL_VAR: "available everywhere"

Job-Level Variables

deploy: variables: DEPLOY_ENV: production script: - ./deploy.sh $DEPLOY_ENV

Environment-Scoped Variables

Configure in GitLab UI: Settings > CI/CD > Variables

  • Scope to specific environments (production, staging)

  • Scope to specific branches (main, develop)

Protected and Masked Variables

In gitlab-ci.yml

variables: PUBLIC_KEY: value: "pk_test_xxx" description: "Stripe public key"

In GitLab UI

Set variables with:

  • Protected: Only available on protected branches/tags

  • Masked: Hidden in job logs (requires specific format)

  • Expanded: Allow variable references within value

File-Type Variables

deploy: script: - cat $KUBECONFIG # File variable contents - kubectl apply -f deployment.yaml

External Secret Providers

HashiCorp Vault

job: secrets: DATABASE_PASSWORD: vault: engine: name: kv-v2 path: secret field: password path: production/db

Azure Key Vault

job: secrets: API_KEY: azure_key_vault: name: my-api-key version: latest

AWS Secrets Manager

job: secrets: AWS_SECRET: aws_secrets_manager: name: prod/api-key version_id: latest

OIDC Authentication

deploy:aws: id_tokens: AWS_TOKEN: aud: https://gitlab.com script: - > aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --web-identity-token $AWS_TOKEN

Best Practices

  • Never hardcode secrets in .gitlab-ci.yml

  • Use protected variables for production credentials

  • Mask sensitive values to prevent log exposure

  • Prefer OIDC over long-lived credentials

  • Scope variables to minimum required environments

  • Use file-type variables for certificates and keys

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

android-jetpack-compose

No summary provided by upstream source.

Repository SourceNeeds Review
471-thebushidocollective
General

fastapi-async-patterns

No summary provided by upstream source.

Repository SourceNeeds Review
417-thebushidocollective
General

storybook-story-writing

No summary provided by upstream source.

Repository SourceNeeds Review
283-thebushidocollective
General

atomic-design-fundamentals

No summary provided by upstream source.

Repository SourceNeeds Review
180-thebushidocollective