Allow variables to be configured as masked in the new manual pipeline view
GitLab offers the ability to define variables, for example, from the .gitlab-ci.yml we could have:
variables:
TRANSIENT_SESSION_CREDENTIALS:
value: ""
description: "Transient credentials for performing this job"This can be useful for capturing variables during manual pipeline runs from the "New Pipeline" action. In this case, the following screen could be displayed:
Masking Variables
In some cases, the variables contain sensitive values. For example, the variable might contain a special transient authentication token that a user can provide to grant a CI job transient access to perform certain functions.
For an example of this, see https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/dedicated-organization-aws/-/merge_requests/28.
However, at present, the inputs are not masked, adding some risk that the credentials might be spied by a third-party.
Allowing manual variables to be masked/hidden would add additional security.
Using the previous example again:
variables:
TRANSIENT_SESSION_CREDENTIALS:
value: ""
description: "Transient credentials for performing this job"
masked: true # Mask out the variable during manual input and inside pipeline logs when possible.With the masked: true value, the screen now displays a password input masking the user-supplied vaue:
