CI: File variables expand to contents in matrix

Summary

CI file variables in parallel.matrix expand to the contents of the file, not the path of the file. I do not expect the contents of file variables to be available unless the pipeline contains something equivalant to cat $MY_FILE_VARIABLE.

Context

I encountered this while setting up a pipeline to run terraform plan on multiple environments. These environments have components in different GCP organizations and therefore need different service account credentials (provided via the file pointed to by GOOGLE_APPLICATION_CREDENTIALS).

Steps to reproduce

  1. Register a file variable on the CI.
  2. Reference the variable in the matrix of a job.
  3. Reference the matrix key in a script.
  4. Observe that the referenced matrix key did not expand to the file path as expected, but the file contents instead.

Example Project

Created project gitlab-ci-matrix-expansion-example.

Defined CI variables of type "File":

  • GOOGLE_APPLICATION_CREDENTIALS_INTERNAL with contents secret internal credentials.
  • GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION with contents secret production credentials.

The project contains the example pipeline:

stages:
- example

expand_example:
  stage: example
  only:
  - merge_requests
  parallel:
    matrix:
    - ENVIRONMENT: [testing, staging]
      GOOGLE_APPLICATION_CREDENTIALS: $GOOGLE_APPLICATION_CREDENTIALS_INTERNAL 
    - ENVIRONMENT: production
      GOOGLE_APPLICATION_CREDENTIALS: $GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION
  script:
  - echo "$GOOGLE_APPLICATION_CREDENTIALS_INTERNAL"
  - echo "$GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION"
  - echo "$GOOGLE_APPLICATION_CREDENTIALS"

What is the current bug behavior?

For example, the output of job expand: [production, $GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION]:.

$ echo "$GOOGLE_APPLICATION_CREDENTIALS_INTERNAL"
/builds/michaelbisgaardo/gitlab-ci-matrix-expansion-example.tmp/GOOGLE_APPLICATION_CREDENTIALS_INTERNAL
$ echo "$GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION"
/builds/michaelbisgaardo/gitlab-ci-matrix-expansion-example.tmp/GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION
$ echo "$GOOGLE_APPLICATION_CREDENTIALS"
secret production credentials

What is the expected correct behavior?

$ echo "$GOOGLE_APPLICATION_CREDENTIALS_INTERNAL"
/builds/michaelbisgaardo/gitlab-ci-matrix-expansion-example.tmp/GOOGLE_APPLICATION_CREDENTIALS_INTERNAL
$ echo "$GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION"
/builds/michaelbisgaardo/gitlab-ci-matrix-expansion-example.tmp/GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION
$ echo "$GOOGLE_APPLICATION_CREDENTIALS"
/builds/michaelbisgaardo/gitlab-ci-matrix-expansion-example.tmp/GOOGLE_APPLICATION_CREDENTIALS_PRODUCTION

Output of checks

This bug happens on GitLab.com.

Edited by Michael Bisgaard Olesen