Add values of visible CI/CD vars to SLSA provenance

Problem to solve

The externalParameters field of provenance statements generated by the runner include the CI/CD variables set when running the job. However, for security reasons we decided not to include the values of these variables, and to only include the names. See gitlab-runner#28940 (comment 993246150)

This doesn't seem aligned with SLSA 1.0 specifications.

See https://slsa.dev/spec/v1.0/provenance#builddefinition

The parameters that are under external control, such as those set by a user or tenant of the build platform. They MUST be complete at SLSA Build L3, meaning that that there is no additional mechanism for an external party to influence the build. (At lower SLSA Build levels, the completeness MAY be best effort.)

Proposal

List all CI/CD variables of the job/build as externalParameters, and give their values when it's safe to do so.

List masked and hidden variables with a placeholder value: [MASKED].
List other variables (which are visible) with their raw values.

Documentation

To be documented in Document GitLab SLSA provenance, link from buil... (#426764 - closed) if that issue is done after this one.

Implementation plan

TBD

Edited Jun 13, 2025 by Fabien Catteau