gitlab-variable
Original:🇺🇸 English
Translated
GitLab CI/CD variable operations. ALWAYS use this skill when user wants to: (1) list CI/CD variables, (2) set/create variables, (3) update variables, (4) delete variables, (5) manage secrets.
2installs
Added on
NPX Install
npx skill4agent add grandcamel/gitlab-assistant-skills gitlab-variableTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →CI/CD Variable Skill
CI/CD variable management operations for GitLab using the CLI.
glabQuick Reference
| Operation | Command | Risk |
|---|---|---|
| List variables | | - |
| Get variable | | - |
| Set variable | | ⚠️ |
| Update variable | | ⚠️ |
| Delete variable | | ⚠️⚠️ |
| Export variables | | - |
Risk Legend: - Safe | ⚠️ Caution | ⚠️⚠️ Warning | ⚠️⚠️⚠️ Danger
When to Use This Skill
ALWAYS use when:
- User wants to manage CI/CD variables
- User mentions "variable", "secret", "env var", "CI variable", "environment variable"
- User wants to configure build/deployment settings
NEVER use when:
- User wants to run pipelines (use gitlab-ci)
- User wants to manage .env files locally (use file operations)
Available Commands
List Variables
bash
glab variable list [options]Options:
| Flag | Description |
|---|---|
| List group-level variables |
| Results per page |
Examples:
bash
# List project variables
glab variable list
# List group variables
glab variable list -g mygroupGet Variable
bash
glab variable get <key> [options]Options:
| Flag | Description |
|---|---|
| Get from group level |
| Variable scope/environment |
Examples:
bash
# Get variable value
glab variable get API_KEY
# Get scoped variable
glab variable get DATABASE_URL --scope=productionSet Variable
bash
glab variable set <key> <value> [options]Options:
| Flag | Description |
|---|---|
| Set at group level |
| Mask value in logs |
| Only available in protected branches |
| Value is raw (no expansion) |
| Variable scope/environment |
| Variable type: env_var, file |
Examples:
bash
# Set simple variable
glab variable set API_URL "https://api.example.com"
# Set masked secret
glab variable set API_KEY "secret123" --masked
# Set protected variable (only on protected branches)
glab variable set DEPLOY_KEY "key123" --protected --masked
# Set scoped variable for production
glab variable set DATABASE_URL "postgres://prod..." --scope=production
# Set file type variable
glab variable set CONFIG_FILE "$(cat config.json)" --type=file
# Set group variable
glab variable set SHARED_SECRET "secret" -g mygroup --maskedUpdate Variable
bash
glab variable update <key> <value> [options]Same options as . Updates existing variable.
setExamples:
bash
# Update variable value
glab variable update API_KEY "new-secret" --masked
# Update and change scope
glab variable update DATABASE_URL "new-url" --scope=stagingDelete Variable
bash
glab variable delete <key> [options]Options:
| Flag | Description |
|---|---|
| Delete from group level |
| Variable scope |
Warning: This permanently deletes the variable.
Examples:
bash
# Delete variable
glab variable delete OLD_API_KEY
# Delete scoped variable
glab variable delete DATABASE_URL --scope=stagingExport Variables
bash
glab variable export [options]Export variables in dotenv format.
Examples:
bash
# Export to stdout
glab variable export
# Export to file
glab variable export > .env.ci
# Export and source
eval $(glab variable export)Variable Types
| Type | Use Case |
|---|---|
| Environment variable (default) |
| Write value to file, expose path as variable |
Variable Flags
| Flag | Effect |
|---|---|
| Value is hidden in job logs |
| Only available on protected branches/tags |
| No variable expansion (use for JSON, etc.) |
Common Workflows
Workflow 1: Set Up Deployment Variables
bash
# Set production secrets
glab variable set PROD_API_KEY "xxx" --protected --masked --scope=production
glab variable set PROD_DB_URL "postgres://..." --protected --masked --scope=production
# Set staging secrets
glab variable set STAGING_API_KEY "xxx" --masked --scope=staging
glab variable set STAGING_DB_URL "postgres://..." --masked --scope=stagingWorkflow 2: Rotate Secrets
bash
# 1. List current variables
glab variable list
# 2. Update the secret
glab variable update API_KEY "new-secret-value" --masked
# 3. Trigger a new pipeline to use new secret
glab ci runWorkflow 3: Set Up Service Account
bash
# Store credentials as masked file
glab variable set SERVICE_ACCOUNT_JSON "$(cat service-account.json)" \
--type=file --protected --masked
# In CI/CD, use $SERVICE_ACCOUNT_JSON as path to the credentials fileWorkflow 4: Configure Multi-Environment
bash
# Production (protected + masked)
glab variable set DATABASE_URL "postgres://prod..." --scope=production --protected --masked
glab variable set API_KEY "prod-key" --scope=production --protected --masked
# Staging
glab variable set DATABASE_URL "postgres://staging..." --scope=staging --masked
glab variable set API_KEY "staging-key" --scope=staging --masked
# Development
glab variable set DATABASE_URL "postgres://dev..." --scope=development
glab variable set API_KEY "dev-key" --scope=developmentSecurity Best Practices
- Always mask secrets: Use for any sensitive values
--masked - Protect production secrets: Use for production credentials
--protected - Use scopes: Separate variables by environment
- Rotate regularly: Update secrets periodically
- Avoid logging: Never echo variable values in CI scripts
- Use file type for complex secrets: JSON, certificates, etc.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Authentication failed | Invalid/expired token | Run |
| Variable not found | Wrong key or scope | Check with |
| Cannot see value | Variable is masked | Masked values cannot be retrieved |
| Permission denied | Not maintainer | Need maintainer+ role for variables |
| Value truncated | Special characters | Use |
Related Documentation
- Safeguards
- Quick Reference