My understanding of how the dotenv report is supposed to work is that it allows you to pass environment variables between jobs without saving them anywhere. However, I’ve just noticed that while the artifacts created from a dotnenv report aren’t available at the job level, they ARE available from the pipeline view.
Does anyone know if that’s an intentional feature? Seems like it could be a security risk if we’re passing secrets via environment variables. I don’t know if it’s related to this at all:
The latest artifacts for refs are locked against deletion, and kept regardless of the expiry time. Introduced in GitLab 13.0 behind a disabled feature flag, and made the default behavior in GitLab 13.4.
Pipeline List View - Artifacts can be downloaded
Pipeline Detail - Job List View - Artifacts can’t be downloaded