Enable dynamic additions to list of masked variables from within the pipeline

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Enable dynamic, custom additions to list of masked variables from within the pipeline

Problem to solve

If an include or extension is called in CI and it injects values that should be masked, the same job should be able to dynamically extend the list of currently masked variables. For instance a custom secret manager integration could dynamically create pipeline variables and mask them.

Proposal

This type of problem is handled on other systems by simply specifying a list of variable names in another variable.

Create a new pre-defined variable such as "MASKED_VARIABLES" which is populated by a delimited list of variables.

This variable should only hold additions to the list that is already determined by the existing GitLab CI logic. It should not take over as a list of all variables to be protected as this would open up existing logic to hacking by clearing the variable.

What is unclear is whether these can be passed into the pipeline as masked? Can masked variables be protected when coded into dotenv files?

However, even if the project had to define this variable in a top level "variables:" section - the feature would still retain a lot of value.