Multi-project pipelines variable hierarchy

I am attempting to use multi-project pipelines for security scans. I would like to store secure keys in the downstream project. Currently I can only store the variables in the upstream project.

I have tried adding the variable in both projects upstream and downstream but it only works in the upstream project. I would think that the variable hierarchy would look in the downstream project first. Any suggestions would be appreciated. Thanks.

I am not 100% sure if I understand, but you can set your keys as variable in downstream project in .gitlab-ci.yml file.

If your issue is that your variable has the same name in both projects you can disable variable inheritance from upstream pipeline:

trigger-job:
  inherit:
    variables: false
  trigger:
  ....

I tried using inherit: variables: false no luck. The issue is I need to have the variable in the group level variables in order for the variable to be used. I would like it to live in the subgroup of the downstream project. I have tried it in a few locations but the downstream pipeline does not seem to recognize it unless it is in the Main Group. I might add that the Project B is only a collection of jobs triggered from the upstream pipeline in Project A. There is no gitlab-ci.yml in Project B

I am kinda lost here, how do you trigger the downstream pipeline if there is no .gitlab-ci.yml in Project B? There must be one, otherwise multi-project pipelines won’t work.

Back to the variable issues.
Let’s say you define a CI/CD variable on Subgroup B called TEST_VAR with some value.
If you use multi-project pipelines to trigger a Project B pipeline from Project A pipeline the variable TEST_VAR is accessible in all jobs in Project B pipelines.

I cannot reproduce the issue you are seeing.

Thanks for following up. I have a yaml file in Project B that I am calling from the trigger job in Project A

  trigger:
    include:
      - project: 'group/subgroup/project'
        ref: main
        file: 'projectb-analysis.yml'

I have not been able to use the variable in Project B. But the Project B job does use the variable in the Main Group variables. I have seen other anomalies with variable inheritance and manual pipeline variables when using multi-project pipelines. I will make a specific post regarding that issue though.

If you specify:

trigger:
  include:

you are using parent-child pipelines, not multi-project pipelines. That means that the pipeline is run in scope of Project A and nothing from Project B is taken into account. This also means you can’t see any pipeline in Project B Pipelines page.

You are right. I am using parent-child not multi-project. I was confused about the difference. Thanks for the responses.