Restrict variable scope to base .gitlab-ci.yml

Hi all,

Using GitLab Cloud with Runners. We have a base repo with a number of .yml files within our pipeline jobs. These are the included in the .gitlab-ci.yml file in our other repos in the same namespace, like below:

  - project: path/to/base-pipeline-repo
      - build.yml
      - tests.yml
      - deploy.yml

The base repo (path/to/base-pipeline-repo) uses an API key which we don’t want to expose. I’ve set this as a variable at the repo group level, which works, but it doesn’t seem particularly secure as the main repo has access to it.

There’s an option to ‘protect’ the variable, however we need to allow non-protected branch builds to access it, so that can’t be used.

Does anyone have any recommendations on how best to do this? I realize it can be masked in the logs, however there’s nothing to stop anyone from uploading a new .gitlab-ci.yml file which posts the variable off elsewhere via Curl for example.

We need to somehow limit the scope of the variable to the base pipeline repo.

Thanks in advance.

Hi @Adam.Wilson2

Have you tried defining that variable in your base project Settings → CI/CD → Variables? That should not be inherited by includes.

1 Like