Skip to content

Use file based variables for GPG_KEY

What does this MR do?

ci: use file-based GPG key

Inside of CI it's safer to use file based varialbes for secrets like GPG since anything can accidentally print the variable or end up using that variable for something that is unexpected. Inside of the Settings > CI/CD > Variables 2 new variables are added GPG_KEY_PATH and GPG_PASSPHRASE_PATH which has the same values as before but file-based variables.

The GPG key is used for package signing and release signing so if they are the paths are set the environment variables accordingly.

refactor(ci): remove unset GPG_KEY

With #27963 the variables were moved to be file-based so there is no longer a need to unset this variable. There is also a plan to scope these variables for specific jobs through environments.

There was already a problem with this unset from a maintainability perspective because not all jobs had it or it wasn't safe enough for us.

Screenshot_2021-06-15_at_09.34.16

What's the best way to test this MR?

There isn't a really easy way test this given that these jobs run on master.

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27963

Merge request reports