Review apps for merge requests - how can avoid secret leakage?

I have created a pipeline that includes deploying a Review App if $CI_MERGE_REQUEST_ID is present.

Those jobs do two things

  • Build and upload a docker image file to a docker registry (ECR), for this it relies on CI/CD environment variables (with the credentials to the docker registry AWS_ACCESS_KEY_ID,etc)
  • helm upgrade --install --wait to deploy the review app to kubernetes, customizing the ingress address

My problem is that for this to work I need to “un-protect” the CI/CD variables so that they are available in the merge request branch, but that opens anybody that can create a MR to modify the .gitlab-ci.yml and leak the contents of the variables.

Is there any best practice on how to avoid this?

From what I see from the documentation on a first cursory search seems that there are two alternatives

Again my concert is that I need to use secrets/credentials in the CI/CD environment variables and I fear that those can leak if the developers make changes to the .gitlab-ci.yml. So how people usually go about this?