# Using Variables In GitLab CI/CD, variables are used to store and manage environment-specific settings, credentials, and other configuration values that are required during the execution of CI/CD pipelines. These variables can be defined at different levels, including project-level and group-level, and they play a crucial role in customizing and securing your CI/CD workflows. ## Group and Project Variables ### Scope - Group-level variables: Apply to all projects within a specific group. They are shared among all projects in that group. - Project-level variables: Apply to a specific project only. They are not shared with other projects, even within the same group. ### Inheritance - Group-level variables: Are inherited by all projects within the group. If a variable is defined at the group level, it is automatically available to all projects in that group, unless overridden at the project level. - Project-level variables: Do not inherit from group-level variables. Each project must define its own project-level variables, and they do not affect other projects in the group. ### Use Cases - Group-level variables: Useful for storing settings or credentials that are common across multiple projects within a group, such as shared API keys or deployment configurations. - Project-level variables: Ideal for project-specific settings or credentials that should not be shared with other projects in the same group. ## Predefined Variables GitLab also provides a set of predefined CI/CD variables. Those variables are listed below: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html ## ONES-AI Group Variables In the GitLab ONES-AI group, common variables for CI are defined and used as follows. Group variables can be managed by users with Maintainer permissions. **Docker** - `DOCKER_REGISTRY` - `DOCKER_USERNAME` - `DOCKER_PASSWORD` **MinIO** - `MINIO_SERVER_URL` - `MINIO_ALIAS` - `MINIO_ACCESS_KEY` - `MINIO_SECRET_KEY` ## Security When using GitLab CI/CD variables, it's crucial to follow security best practices to protect sensitive information and ensure the integrity of your CI/CD pipeline. Here are some security guidelines for using GitLab CI/CD variables: ### Use Protected Variables Mark sensitive variables as "protected" in GitLab CI/CD settings. Protected variables are only available to pipelines running on protected branches, ensuring that sensitive information is not exposed in less secure branches. ### Limit Scope Restrict the scope of variables to specific branches or environments to minimize exposure. Only provide access to variables where they are absolutely necessary. ### Secrets Management Treat CI/CD variables like secrets. Avoid hardcoding sensitive information directly into the CI/CD configuration. Instead, use CI/CD variables to store secrets, such as API keys, passwords, and tokens. ### Mask Sensitive Information GitLab provides a way to mask sensitive information in job logs using the CI_JOB_TOKEN. Use the CI_JOB_TOKEN variable in conjunction with the mask keyword to hide sensitive data in the job output. ### Use Environment-specific Variables If possible, use environment-specific variables to store sensitive information. This allows you to customize variable values based on the target environment (e.g., development, staging, production). ### Regularly Rotate Credentials Rotate credentials and tokens stored in CI/CD variables regularly. This practice helps minimize the risk in case sensitive information is exposed accidentally or if someone gains unauthorized access. ### Access Control Control access to CI/CD variables based on roles and permissions. Only grant access to users or roles that absolutely need it. Use GitLab's Access Control features to manage permissions effectively.