Need to protect predefined environment variable

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Hello issue team, I Need to protect predefined environment variable in my gitlab ci pipeline

Intended users

Maybe all users, because it could be a security improvement

Further details

I need a simple way to protect a predefined environment variable during runner execution eg: GITLAB_USER_EMAIL to avoid someone to set another value

Proposal

Add the possibility to make some predefines environment variables read-only ?

1. Define the minimum role to define custom CI variables;
2. Define the minimum role to overwrite;
3. Be able to define these rules at group and / or instance level;
4. Warn that custom definition and overriding CI vars is enabled by default (which means relying on these variables could be a security risk).

Partial workaround

curl -v -H "Accept: application/json" -H "Authorization: bearer ${GITLAB_API_TOKEN}" -X PUT --data "restrict_user_defined_variables=true" https://${GITLAB_HOSTNAME}/api/v4/projects/${GITLAB_PROJECT_ID} | jq

Permissions and Security

Don't know exactly what permissions can be applied, the goal is to protect some predefined environment varible to improve security

Documentation

Testing

What does success look like, and how can we measure that?

Links / references

I've opened this support case: https://support.gitlab.com/hc/en-us/requests/118975