Protected variables for all MR's branches


My usecase. I create merge request and branch for WIP work. In ci/cd settings I have step that run manually, that create special environment in kubernetes with current MR. So when I commit, some steps test my code and if I push “preview” step manually next steps creates docker image and helm chart.

When I create chart it uploades to chartmuseum with basic auths. So auth credentials I store in protected variables.

Question is if protected variables must works in all MRs do I need all branches must be protected? So I must setup project with “*” as protected branch name? Or I can safe just “mask” variables with password and do not protect it?

Or may be another solutions in my case?