Skip to content

Secret Variables is not present in "only tags"-builds

Summary

When using "only tags" feature secret variables is not passed to runner.

Steps to reproduce

.gitlab-ci.yml

stages:
    - build
    
build:
    stage: build
    image:
        name: cgswong/aws:aws
        entrypoint: [""]
    script:
        - 'printenv'
    only:
        - tags
  1. Go to "Settings" > "CI / CD" > "Variables".
  2. Add AWS_SECRET_ACCESS_KEY = imNotHere as protected
  3. Make a new tag/release
  4. See the console output does not contain AWS_SECRET_ACCESS_KEY

Example Project

https://gitlab.com/sazo/secret-var-bug

What is the current bug behavior?

Missing environment variable

What is the expected correct behavior?

The environment variable is present

Relevant logs and/or screenshots

Running with gitlab-runner 11.1.0 (081978aa)
  on docker-auto-scale ed2dce3a
Using Docker executor with image cgswong/aws:aws ...
Pulling docker image cgswong/aws:aws ...
Using docker image sha256:98c5f4206f2bdb4e9c74ec78696b93a15409efd6909cd463214862a3c0b393a7 for cgswong/aws:aws ...
Running on runner-ed2dce3a-project-7935685-concurrent-0 via runner-ed2dce3a-srm-1534241056-2220a851...
Cloning repository...
Cloning into '/builds/sazo/secret-var-bug'...
Checking out 4b53d0ff as 0.1.0...
Skipping Git submodules setup
$ printenv
CI_PROJECT_NAME=secret-var-bug
CI_REGISTRY=registry.gitlab.com
CI_BUILD_TOKEN=xxxxxxxxxxxxxxxxxxxx
HOSTNAME=runner-ed2dce3a-project-7935685-concurrent-0
CI_PROJECT_URL=https://gitlab.com/sazo/secret-var-bug
CI_PROJECT_VISIBILITY=public
CI_JOB_URL=https://gitlab.com/sazo/secret-var-bug/-/jobs/89160911
CI_REGISTRY_USER=gitlab-ci-token
CI_BUILD_BEFORE_SHA=0000000000000000000000000000000000000000
CI_SERVER_VERSION=11.2.0-rc2-ee
CI_BUILD_ID=89160911
GITLAB_USER_LOGIN=sazo
OLDPWD=/
GITLAB_USER_EMAIL=danielflynygaard@gmail.com
CI_DISPOSABLE_ENVIRONMENT=true
CI_RUNNER_EXECUTABLE_ARCH=linux/amd64
CI_COMMIT_TITLE=Bug
CI_SERVER_TLS_CA_FILE=/builds/sazo/secret-var-bug.tmp/CI_SERVER_TLS_CA_FILE
CI_COMMIT_REF_NAME=0.1.0
DOCKER_DRIVER=overlay2
CI_JOB_TOKEN=xxxxxxxxxxxxxxxxxxxx
CI_PROJECT_ID=7935685
CI_RUNNER_ID=380987
CI_RUNNER_REVISION=081978aa
CI_COMMIT_DESCRIPTION=
CI_COMMIT_MESSAGE=Bug

PAGER=less -r
CI_PIPELINE_ID=27860586
CI_BUILD_REF_NAME=0.1.0
CI_BUILD_REF=4b53d0ff312cd479f39d92c1cae660ba4b7beb7b
CI_COMMIT_REF_SLUG=0-1-0
CI_BUILD_TAG=0.1.0
GITLAB_USER_NAME=Daniel Fly
CI_REPOSITORY_URL=https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.com/sazo/secret-var-bug.git
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
CI_BUILD_STAGE=build
CI_PROJECT_DIR=/builds/sazo/secret-var-bug
CI_REGISTRY_PASSWORD=xxxxxxxxxxxxxxxxxxxx
CI_RUNNER_TAGS=gce, docker
CI_REGISTRY_IMAGE=registry.gitlab.com/sazo/secret-var-bug
PWD=/builds/sazo/secret-var-bug
CI_PIPELINE_SOURCE=push
CI_JOB_STAGE=build
CI_SERVER_NAME=GitLab
CI_PROJECT_PATH=sazo/secret-var-bug
CI_COMMIT_BEFORE_SHA=0000000000000000000000000000000000000000
GITLAB_FEATURES=audit_events,burndown_charts,contribution_analytics,elastic_search,export_issues,external_files_in_gitlab_ci,group_burndown_charts,group_webhooks,issuable_default_templates,issue_board_focus_mode,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_ldap_servers,multiple_issue_assignees,multiple_project_issue_boards,push_rules,project_creation_level,protected_refs_for_users,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,admin_audit_log,auditor_user,board_assignee_lists,cross_project_pipelines,email_additional_text,db_load_balancing,deploy_board,extended_audit_events,file_locks,geo,github_project_service_integration,jira_dev_panel_integration,ldap_group_sync_filter,multiple_clusters,multiple_group_issue_boards,merge_request_performance_metrics,object_storage,group_saml,service_desk,unprotection_restrictions,variable_environment_scope,reject_unsigned_commits,commit_committer_check,external_authorization_service,ci_cd_projects,system_header_footer,custom_project_templates,dependency_scanning,license_management,sast,sast_container,cluster_health,dast,epics,ide,chatops,pod_logs,pseudonymizer,prometheus_alerts
CI_PIPELINE_IID=7
CI_PIPELINE_URL=https://gitlab.com/sazo/secret-var-bug/pipelines/27860586
GITLAB_CI=true
CI_RUNNER_VERSION=11.1.0
CI_SERVER_REVISION=7996ef5
CI_COMMIT_SHA=4b53d0ff312cd479f39d92c1cae660ba4b7beb7b
CI_CONFIG_PATH=.gitlab-ci.yml
CI_BUILD_NAME=build
HOME=/root
SHLVL=2
CI_PROJECT_PATH_SLUG=sazo-secret-var-bug
CI_SERVER=yes
CI=true
CI_PROJECT_NAMESPACE=sazo
CI_BUILD_REF_SLUG=0-1-0
CI_RUNNER_DESCRIPTION=shared-runners-manager-6.gitlab.com
GITLAB_USER_ID=1714087
CI_JOB_ID=89160911
CI_COMMIT_TAG=0.1.0
CI_JOB_NAME=build
_=/bin/printenv
Job succeeded

Output of checks

This bug happens on GitLab.com

Possible fixes

Setting the variable to non-protected and drop security :(