In multi-project pipelines, allow variables assigned to another variable to be passed to a child job
Problem to solve
Today there is no secure way to pass a predefined CI variable to a child job in a multi-project pipeline.
Passing the actual variable will cause it to be evaluated by the child project, rather than sending the value of the parent.
Assigning the parent value to a new variable and passing that will send the literal name of that variable.
variables: PARENT_VAR: $CI_REPOSITORY_URL list_parent_vars: stage: deploy script: - echo $PARENT_VAR - echo $CI_REPOSITORY_URL child: variables: PARENT_VAR: $PARENT_VAR OTHER_URL: $CI_REPOSITORY_URL stage: deploy trigger: root/downstream
$ echo $PARENT_VAR http://gitlab-ci-token:email@example.com/root/upstream.git $ echo $CI_REPOSITORY_URL http://gitlab-ci-token:firstname.lastname@example.org/root/upstream.git
child_job: when: manual stage: deploy script: - echo $PARENT_VAR - echo $OTHER_URL
$OTHER_URL has the URL for the downstream project)
$ echo $PARENT_VAR $PARENT_VAR $ echo $OTHER_URL http://gitlab-ci-token:email@example.com/root/downstream-pipe.git
When the value of a variable is assigned to a new variable in a parent job, that value should be passed to the child job.
In the example above, we would expect
$PARENT_VAR to evaluate to
Permissions and Security
No change from existing security model.
What does success look like, and how can we measure that?
Customer are able to easily pass predefined values from one project to another.
What is the type of buyer?
Enhancement to existing Premium/Silver feature.
Links / references