Still cannot mask SSH_PRIVATE_KEY - why??
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
As of GitLab 12.x we are still not able to mask SSH_PRIVATE_KEY because it apparently does not meet mask restrictions.
How is this not a security violation at the most basic level and why do these restrictions need to exist in the first place?
The permissions table specifies that only Maintainer and above should be able to manipulate CI/CD variables. I can come in with a Developer status, open a PR that changes .gitlab-ci.yml to echo "$SSH_PRIVATE_KEY" and it will be shown right on stdout, no escalation needed.
Reading through the long and winding gitlab-foss#60790 (closed) and gitlab-foss!29143 (merged), I'm unable to see how either of them solve this issue whatsoever.
I should not be able to echo "$SSH_PRIVATE_KEY", period. At the very least, why is SSH_PRIVATE_KEY not in the list of variables validated by GitLab? GitLab even openly recommends using private keys but then does not allow us to mask them. What gives?