Skip to content

Add GitLab CI/CD secrets adapter#1821

Open
felixbuenemann wants to merge 1 commit into
basecamp:mainfrom
felixbuenemann:gitlab-ci-secrets-adapter
Open

Add GitLab CI/CD secrets adapter#1821
felixbuenemann wants to merge 1 commit into
basecamp:mainfrom
felixbuenemann:gitlab-ci-secrets-adapter

Conversation

@felixbuenemann

@felixbuenemann felixbuenemann commented Apr 8, 2026

Copy link
Copy Markdown

Summary

Adds a secrets adapter for GitLab CI/CD project variables using the glab CLI.

  • Fetches variables via glab variable list with pagination support
  • Uses --from to select an environment scope (e.g. staging, production), falling back to wildcard (*) scoped variables
  • Scoped variables take precedence over wildcard variables for the same key

Usage

# .kamal/secrets
SECRETS=$(kamal secrets fetch --adapter gitlab-ci --from "$KAMAL_DESTINATION" DATABASE_URL SECRET_KEY_BASE)

Test plan

  • Fetch specific secrets with environment scope
  • Fallback to wildcard scope when no scoped match exists
  • Fetch without scope returns only wildcard-scoped variables
  • Fetch all secrets (no specific keys requested)
  • Pagination across multiple pages
  • Error when glab variable list fails
  • Error when glab CLI is not installed

Copilot AI review requested due to automatic review settings April 8, 2026 16:42
Copilot AI reviewed Apr 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new gitlab-ci secrets adapter that fetches GitLab CI/CD project variables via the glab CLI, supporting environment scoping (--from) with wildcard (*) fallback and pagination.

Changes:

  • Added Kamal::Secrets::Adapters::GitlabCi implementation that lists variables via glab variable list and resolves scoped vs wildcard precedence.
  • Added a dedicated Minitest suite covering scoped fetches, wildcard-only behavior, pagination, and failure modes.
  • Updated adapter lookup to accept the gitlab-ci adapter name.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
lib/kamal/secrets/adapters/gitlab_ci.rb Implements the GitLab CI/CD variables adapter using glab, including pagination and scoped resolution logic.
test/secrets/gitlab_ci_adapter_test.rb Adds adapter tests for scoped fetch, wildcard behavior, pagination, and error cases.
lib/kamal/secrets/adapters.rb Adds gitlab-ci name normalization to load the new adapter.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lib/kamal/secrets/adapters/gitlab_ci.rb
Comment thread test/secrets/gitlab_ci_adapter_test.rb
@felixbuenemann felixbuenemann force-pushed the gitlab-ci-secrets-adapter branch from 9fd2160 to 82bb9f4 Compare April 8, 2026 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@felixbuenemann