In multi-project pipelines, allow variables assigned to another variable to be passed to a child job
Problem to solve
Today there is no secure way to pass a predefined CI variable to a child job in a multi-project pipeline.
Passing the actual variable will cause it to be evaluated by the child project, rather than sending the value of the parent.
Assigning the parent value to a new variable and passing that will send the literal name of that variable.
.gitlab-ci.yml
Example parent variables:
PARENT_VAR: $CI_REPOSITORY_URL
list_parent_vars:
stage: deploy
script:
- echo $PARENT_VAR
- echo $CI_REPOSITORY_URL
child:
variables:
PARENT_VAR: $PARENT_VAR
OTHER_URL: $CI_REPOSITORY_URL
stage: deploy
trigger: root/downstream
Output:
$ echo $PARENT_VAR
http://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@runner.example.com/root/upstream.git
$ echo $CI_REPOSITORY_URL
http://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@runner.example.com/root/upstream.git
.gitlab-ci.yml
Example child child_job:
when: manual
stage: deploy
script:
- echo $PARENT_VAR
- echo $OTHER_URL
Output:
(Note that $OTHER_URL
has the URL for the downstream project)
$ echo $PARENT_VAR
$PARENT_VAR
$ echo $OTHER_URL
http://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@runner.example.com/root/downstream-pipe.git
Intended users
Developers
Further details
Proposal
When the value of a variable is assigned to a new variable in a parent job, that value should be passed to the child job.
In the example above, we would expect $PARENT_VAR
to evaluate to http://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@runner.example.com/root/upstream.git
.
Permissions and Security
No change from existing security model.
What does success look like, and how can we measure that?
Customer are able to easily pass predefined values from one project to another.
What is the type of buyer?
Enhancement to existing Premium/Silver feature.
Links / references
/cc @brendan