gitlab-variable
SKILL.md
CI/CD Variable Skill
CI/CD variable management operations for GitLab using the glab CLI.
Quick Reference
| Operation | Command | Risk |
|---|---|---|
| List variables | glab variable list |
- |
| Get variable | glab variable get <key> |
- |
| Set variable | glab variable set <key> <value> |
⚠️ |
| Update variable | glab variable update <key> <value> |
⚠️ |
| Delete variable | glab variable delete <key> |
⚠️⚠️ |
| Export variables | glab variable export |
- |
Risk Legend: - Safe | ⚠️ Caution | ⚠️⚠️ Warning | ⚠️⚠️⚠️ Danger
When to Use This Skill
ALWAYS use when:
- User wants to manage CI/CD variables
- User mentions "variable", "secret", "env var", "CI variable", "environment variable"
- User wants to configure build/deployment settings
NEVER use when:
- User wants to run pipelines (use gitlab-ci)
- User wants to manage .env files locally (use file operations)
Available Commands
List Variables
glab variable list [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> |
List group-level variables |
-P, --per-page=<n> |
Results per page |
Examples:
# List project variables
glab variable list
# List group variables
glab variable list -g mygroup
Get Variable
glab variable get <key> [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> |
Get from group level |
-s, --scope=<scope> |
Variable scope/environment |
Examples:
# Get variable value
glab variable get API_KEY
# Get scoped variable
glab variable get DATABASE_URL --scope=production
Set Variable
glab variable set <key> <value> [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> |
Set at group level |
-m, --masked |
Mask value in logs |
-p, --protected |
Only available in protected branches |
-r, --raw |
Value is raw (no expansion) |
-s, --scope=<scope> |
Variable scope/environment |
-t, --type=<type> |
Variable type: env_var, file |
Examples:
# Set simple variable
glab variable set API_URL "https://api.example.com"
# Set masked secret
glab variable set API_KEY "secret123" --masked
# Set protected variable (only on protected branches)
glab variable set DEPLOY_KEY "key123" --protected --masked
# Set scoped variable for production
glab variable set DATABASE_URL "postgres://prod..." --scope=production
# Set file type variable
glab variable set CONFIG_FILE "$(cat config.json)" --type=file
# Set group variable
glab variable set SHARED_SECRET "secret" -g mygroup --masked
Update Variable
glab variable update <key> <value> [options]
Same options as set. Updates existing variable.
Examples:
# Update variable value
glab variable update API_KEY "new-secret" --masked
# Update and change scope
glab variable update DATABASE_URL "new-url" --scope=staging
Delete Variable
glab variable delete <key> [options]
Options:
| Flag | Description |
|---|---|
-g, --group=<group> |
Delete from group level |
-s, --scope=<scope> |
Variable scope |
Warning: This permanently deletes the variable.
Examples:
# Delete variable
glab variable delete OLD_API_KEY
# Delete scoped variable
glab variable delete DATABASE_URL --scope=staging
Export Variables
glab variable export [options]
Export variables in dotenv format.
Examples:
# Export to stdout
glab variable export
# Export to file
glab variable export > .env.ci
# Export and source
eval $(glab variable export)
Variable Types
| Type | Use Case |
|---|---|
env_var |
Environment variable (default) |
file |
Write value to file, expose path as variable |
Variable Flags
| Flag | Effect |
|---|---|
masked |
Value is hidden in job logs |
protected |
Only available on protected branches/tags |
raw |
No variable expansion (use for JSON, etc.) |
Common Workflows
Workflow 1: Set Up Deployment Variables
# Set production secrets
glab variable set PROD_API_KEY "xxx" --protected --masked --scope=production
glab variable set PROD_DB_URL "postgres://..." --protected --masked --scope=production
# Set staging secrets
glab variable set STAGING_API_KEY "xxx" --masked --scope=staging
glab variable set STAGING_DB_URL "postgres://..." --masked --scope=staging
Workflow 2: Rotate Secrets
# 1. List current variables
glab variable list
# 2. Update the secret
glab variable update API_KEY "new-secret-value" --masked
# 3. Trigger a new pipeline to use new secret
glab ci run
Workflow 3: Set Up Service Account
# Store credentials as masked file
glab variable set SERVICE_ACCOUNT_JSON "$(cat service-account.json)" \
--type=file --protected --masked
# In CI/CD, use $SERVICE_ACCOUNT_JSON as path to the credentials file
Workflow 4: Configure Multi-Environment
# Production (protected + masked)
glab variable set DATABASE_URL "postgres://prod..." --scope=production --protected --masked
glab variable set API_KEY "prod-key" --scope=production --protected --masked
# Staging
glab variable set DATABASE_URL "postgres://staging..." --scope=staging --masked
glab variable set API_KEY "staging-key" --scope=staging --masked
# Development
glab variable set DATABASE_URL "postgres://dev..." --scope=development
glab variable set API_KEY "dev-key" --scope=development
Security Best Practices
- Always mask secrets: Use
--maskedfor any sensitive values - Protect production secrets: Use
--protectedfor production credentials - Use scopes: Separate variables by environment
- Rotate regularly: Update secrets periodically
- Avoid logging: Never echo variable values in CI scripts
- Use file type for complex secrets: JSON, certificates, etc.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Authentication failed | Invalid/expired token | Run glab auth login |
| Variable not found | Wrong key or scope | Check with glab variable list |
| Cannot see value | Variable is masked | Masked values cannot be retrieved |
| Permission denied | Not maintainer | Need maintainer+ role for variables |
| Value truncated | Special characters | Use --raw flag for complex values |
Related Documentation
Weekly Installs
8
Repository
grandcamel/gitl…t-skillsGitHub Stars
1
First Seen
Feb 20, 2026
Security Audits
Installed on
opencode8
gemini-cli8
antigravity8
github-copilot8
codex8
kimi-cli8