Group secret variables
Description
Masters and Developers should be able to specify variables at the group level that are inherited by all the subgroups and all the projects in the group.
This is very useful if you want to share variables between several projects, like credentials or specific settings. It could be helpful also for template bulk customization.
Proposal
In the group home, create a new tab Settings -> Pipelines to manage group secret variables, as we already have in the Settings -> Pipelines view for projects.
Variables can be managed by Masters and Developers only, as it is for project secret variables.
Variables support the protected flag to limit access to Masters on protected branches only, as it is for project secret variables.
Variables are overwritten if another variable with the same name and highest priority is defined for the same pipeline, using the following priority order (from highest to lowest priority):
- Trigger variables
(highest priority) - Project Secret variables
- Group Secret variables
- YAML-defined job-level variables
- YAML-defined global variables
- Deployment variables
- Predefined variables
(lowest priority)
Possible future iterations
Ability to disable group secret variables on a specific project.
Links / references
Customer request: https://gitlab.zendesk.com/agent/tickets/53836 (internal use)
Duplicated issues: #19809 (closed), #20940 (closed)
Documentation blurb
Secret variables are really useful when defining the project behavior. It's also not so uncommon that different projects in the same group share the same information for deployment or credentials for accessing external services.
Group-level variables address this problem: you can enter these values once, and all the projects in the group will access them automatically. If you need to change one of them later, you just have to modify it in one single place and all the projects get updated automatically.