Enable 'Masked and hidden' for instance-level CI/CD variables

Norman Debaldrequested to merge
gitlab-community/gitlab-org/gitlab:592708-enable-masked-hidden-instance-variables into master

What does this MR do and why?

Enables the "Masked and hidden" visibility option for instance-level CI/CD variables in the Admin Area UI.

Previously this option was only available for project-level and group-level variables. The Admin Area (Admin > CI/CD > Variables) only offered "Visible" and "Masked". This was not a deliberate product decision but simply wasn't implemented when the feature was originally added under group::pipeline security (see discussion).

Contrary to what the issue description states, the backend did not already support this. The following gaps existed:

  • No hidden column on ci_instance_variables
  • Ci::InstanceVariable did not include Ci::HidableVariable
  • Admin::Ci::VariablesController did not permit the hidden parameter
  • CiInstanceVariable GraphQL type had no hidden field
  • The REST serializer did not expose hidden for instance variables
  • The frontend GraphQL fragment did not query hidden
  • The entity prop was not set, so the UI hid the radio button

This MR addresses all of the above to bring instance-level variables in line with project and group variables.

References

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. Run the database migration: bundle exec rails db:migrate
  2. Verify the column was added: gdk psql -d gitlabhq_development -c "\d ci_instance_variables" You should see a hidden column with type boolean, default false, not null.
  3. Start (or restart) GDK: gdk restart
  4. Sign in as an admin user and enable Admin Mode.
  5. Navigate to Admin Area > CI/CD > Variables (/admin/ci/variables).
  6. Click "Add variable".
  7. In the Visibility section, verify that three options are now available:
  • Visible
  • Masked
  • Masked and hidden (this is new)
  1. Create a variable with "Masked and hidden" selected:
  • Key: TEST_HIDDEN_VAR
  • Value: SuperSecret123 (must be at least 8 characters and match masking rules)
  • Click Add variable
  1. Verify the variable appears in the list and:
  • The value is not displayed (should show as hidden)
  • Clicking edit shows the variable as "Masked and hidden"
  • The value field is not editable and the value is not revealed
  1. For comparison, create a regular "Masked" variable and verify it behaves as before (value hidden in list but revealed on edit).
  2. Run the backend tests:
bundle exec rspec spec/models/ci/instance_variable_spec.rb
bundle exec rspec spec/models/concerns/ci/hidable_variable_spec.rb
bundle exec rspec spec/graphql/types/ci/instance_variable_type_spec.rb
bundle exec rspec spec/controllers/admin/ci/variables_controller_spec.rb
  1. Run the frontend test: yarn jest spec/frontend/ci/ci_variable_list/components/ci_admin_variables_spec.js

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Norman Debald

Merge request reports