CI variables

Stored securely in the GitLab server

Injected into jobs at runtime

Available in project-, group- and instance-level

Careful with protected variables

Hands-On

1. Go to Settings > CI/CD and unfold Variables
2. Create unprotected variable AUTHOR and set to a value of your choice

3. Update build command:

    build:
      script: |
      - go build \
            -ldflags "-X main.Version=${CI_COMMIT_REF_NAME} -X 'main.Author=${AUTHOR}'" \
            -o hello \
            .
   

Pro tip: Protect masked variables

Prevent project maintainers/owners to read masked CI variables:

1. Define variable in parent group
2. Limit permissions to group

Still security by obscurity

But masked values can always be leaked through a pipeline:

job_name:
  script:
  - echo "${MASKED_VAR}" | base64