CI/CD Variables: Allows secrets to be defined at the top level of CI yaml
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Problem to solve
There are 2 non-deprecated ways to get secrets into Gitlab CI jobs. You can either set group/project CI/CD variables and mark them sensitive or you can use ID tokens in the ci yaml to authenticate with an external secrets provider using the secret keyword. The problem is that the feature set between these is inconsistent.
Specifically secrets can only be set on the job level while project/group variables get set for all jobs in the pipeline. Allowing secrets and id_tokens to be set at the pipeline level in .gitlab-ci.ymls would simplify use cases where secrets are needed in multiple jobs throughout the pipeline. Additionally this allow secret usage when secrets from an external source like vault need to be injected into pipeline templates.
Currently there is no way to get external secrets into a job created from a pipeline template. A user would need to rewrite the pipeline template or duplicate their secrets into gitlab project variables in order to use a pipeline template where a variable is considered sensitive by the user.
Proposal
Simply allow id_tokens and secrets to be set at the pipeline level. secrets defined this way should be injected into all jobs of the pipeline.
Intended users
Developer