How to protect CI secrets for open-source project?


I have a project with CI/CD and CI/CD secrets (for connecting to GCP to pull/push docker images and to deploy to a kubernetes cluster in GCP). I’d like to open-source my project while also making sure that these secrets can’t be seen by people who I haven’t explicitly approved. Is this possible?

What I’m most worried about is someone doing something like the following:

  • edit the .gitlab-ci.yaml file with a line like echo $GCP_REGISTRY_TOKEN
  • push this branch
  • look at the log output of the CI job with that edit
  • have access to my GCP docker image registry

Does gitlab make it possible to hide these sorts of things from non-approved contributors?