CI/CD Variable Skill
CI/CD variable management operations for GitLab using the glab CLI.
Quick Reference
| Operation | Command | Risk |
|---|---|---|
| List variables | glab variable list | - |
| Get variable | glab variable get <key> | - |
| Set variable | glab variable set <key> <value> | ⚠️ |
| Update variable | glab variable update <key> <value> | ⚠️ |
| Delete variable | glab variable delete <key> | ⚠️⚠️ |
| Export variables | glab variable export | - |
Risk Legend: - Safe | ⚠️ Caution | ⚠️⚠️ Warning | ⚠️⚠️⚠️ Danger
When to Use This Skill
ALWAYS use when:
- User wants to manage CI/CD variables
- User mentions "variable", "secret", "env var", "CI variable", "environment variable"
- User wants to configure build/deployment settings
NEVER use when:
- User wants to run pipelines (use gitlab-ci)
- User wants to manage .env files locally (use file operations)
Available Commands
List Variables
glab variable list [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> | List group-level variables |
-P, --per-page=<n> | Results per page |
Examples:
# List project variables
glab variable list
# List group variables
glab variable list -g mygroup
Get Variable
glab variable get <key> [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> | Get from group level |
-s, --scope=<scope> | Variable scope/environment |
Examples:
# Get variable value
glab variable get API_KEY
# Get scoped variable
glab variable get DATABASE_URL --scope=production
Set Variable
glab variable set <key> <value> [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> | Set at group level |
-m, --masked | Mask value in logs |
-p, --protected | Only available in protected branches |
-r, --raw | Value is raw (no expansion) |
-s, --scope=<scope> | Variable scope/environment |
-t, --type=<type> | Variable type: env_var, file |
Examples:
# Set simple variable
glab variable set API_URL "https://api.example.com"
# Set masked secret
glab variable set API_KEY "secret123" --masked
# Set protected variable (only on protected branches)
glab variable set DEPLOY_KEY "key123" --protected --masked
# Set scoped variable for production
glab variable set DATABASE_URL "postgres://prod..." --scope=production
# Set file type variable
glab variable set CONFIG_FILE "$(cat config.json)" --type=file
# Set group variable
glab variable set SHARED_SECRET "secret" -g mygroup --masked
Update Variable
glab variable update <key> <value> [options]
Same options as set. Updates existing variable.
Examples:
# Update variable value
glab variable update API_KEY "new-secret" --masked
# Update and change scope
glab variable update DATABASE_URL "new-url" --scope=staging
Delete Variable
glab variable delete <key> [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> | Delete from group level |
-s, --scope=<scope> | Variable scope |
Warning: This permanently deletes the variable.
Examples:
# Delete variable
glab variable delete OLD_API_KEY
# Delete scoped variable
glab variable delete DATABASE_URL --scope=staging
Export Variables
glab variable export [options]
Export variables in dotenv format.
Examples:
# Export to stdout
glab variable export
# Export to file
glab variable export > .env.ci
# Export and source
eval $(glab variable export)
Variable Types
| Type | Use Case |
|---|---|
env_var | Environment variable (default) |
file | Write value to file, expose path as variable |
Variable Flags
| Flag | Effect |
|---|---|
masked | Value is hidden in job logs |
protected | Only available on protected branches/tags |
raw | No variable expansion (use for JSON, etc.) |
Common Workflows
Workflow 1: Set Up Deployment Variables
# Set production secrets
glab variable set PROD_API_KEY "xxx" --protected --masked --scope=production
glab variable set PROD_DB_URL "postgres://..." --protected --masked --scope=production
# Set staging secrets
glab variable set STAGING_API_KEY "xxx" --masked --scope=staging
glab variable set STAGING_DB_URL "postgres://..." --masked --scope=staging
Workflow 2: Rotate Secrets
# 1. List current variables
glab variable list
# 2. Update the secret
glab variable update API_KEY "new-secret-value" --masked
# 3. Trigger a new pipeline to use new secret
glab ci run
Workflow 3: Set Up Service Account
# Store credentials as masked file
glab variable set SERVICE_ACCOUNT_JSON "$(cat service-account.json)" \
--type=file --protected --masked
# In CI/CD, use $SERVICE_ACCOUNT_JSON as path to the credentials file
Workflow 4: Configure Multi-Environment
# Production (protected + masked)
glab variable set DATABASE_URL "postgres://prod..." --scope=production --protected --masked
glab variable set API_KEY "prod-key" --scope=production --protected --masked
# Staging
glab variable set DATABASE_URL "postgres://staging..." --scope=staging --masked
glab variable set API_KEY "staging-key" --scope=staging --masked
# Development
glab variable set DATABASE_URL "postgres://dev..." --scope=development
glab variable set API_KEY "dev-key" --scope=development
Security Best Practices
- Always mask secrets: Use
--maskedfor any sensitive values - Protect production secrets: Use
--protectedfor production credentials - Use scopes: Separate variables by environment
- Rotate regularly: Update secrets periodically
- Avoid logging: Never echo variable values in CI scripts
- Use file type for complex secrets: JSON, certificates, etc.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Authentication failed | Invalid/expired token | Run glab auth login |
| Variable not found | Wrong key or scope | Check with glab variable list |
| Cannot see value | Variable is masked | Masked values cannot be retrieved |
| Permission denied | Not maintainer | Need maintainer+ role for variables |
| Value truncated | Special characters | Use --raw flag for complex values |