Hide "Secret Variables" by default
Description
We should make secret variables harder to leak accidentally and auditable when viewed.
Proposal
- Treat all project variables the same
- In https://gitlab.com/group/project/variables, show keys only with hidden or masked out values
- Have button to show values (or just rely on the edit button to show the values)
- Log an audit even for the viewing (EE only?)
I am not a fan of restricting view access to Master or any other role. It just doesn't make sense given that a developer can print out the variables in a CI script. We have a separate proposals for environment-specific variables (#20367 (closed)), role-specific variables (#23861 (moved)), and service-level variables (#23859 (moved)).
Links / references
- environment-specific variables (#20367 (closed))
- role-specific variables (#23861 (moved))
- service-level variables (#23859 (moved))