CI variables

Stored securely in the GitLab server

Injected into jobs at runtime

Available in project-, group- and instance-level

Careful with protected variables

Loops are detected, e.g. FOO=$BAR and BAR=$FOO


  1. Go to Settings > CI/CD and unfold Variables
  2. Create unprotected variable AUTHOR and set to a value of your choice
  3. Update build command and add AUTHOR:

       script: |
       - go build \
             -ldflags "-X main.Version=${CI_COMMIT_REF_NAME} 
                       -X 'main.Author=${AUTHOR}'" \
             -o hello \

  4. Fetch change:

     git checkout origin/160_gitlab_ci/020_variables/ci -- '*'

Pro tip: Masked variables for all values

Many values are rejected by GitLab

Store base64-encoded values

Decode values before use:

  - echo "$( echo "${MASKED_VAR}" | base64 -d )"

Careful! Original value will not be masked!

Pro tip 2: Protect masked variables

Prevent project maintainers/owners to read masked CI variables:

  1. Define variable in parent group
  2. Limit permissions to group

Still security by obscurity

But masked values can always be leaked through a pipeline:

  - echo "${MASKED_VAR}" | base64