Export a variable that is set to true if CI is running on a protected branch
Problem to solve
As a gitlab user that uses the gitlab CI, we create debian packages depending on branch type:
- tags create "stable" packages,
- master, and protected branches, create "testing" packages,
- other branches create "unstable" packages
During CI, there is no easy method to determine if branch is a protected branch.
Further details
-
Work-arounds are possible, see below, but are constraining to use since they need to be set up for each namespace (or by project)
-
A job token can not query the API during the CI, so we can not determine if branch is protected during the CI via API.
Proposal
- Export, by default, a variable that is set to true if branch is protected. Keeping with the current naming schema, CI_REF_PROTECTED could be used.
What does success look like, and how can we measure that?
By quering the value of CI_REF_PROTECTED during a build of a protected branch and a non-protected branch.
Work-arounds
One work-around is to create 1 variable in the group settings:
- secret variable "CI_PROTECTED_BRANCH" with value "testing"
During CI, if CI_PROTECTED_BRANCH is non-empty, that means we're on a protected branch (and we even get the value of the package distribution to use).
Current behavior of secret variables is not to be exported (set) if on a non-protected branch.
How we currently determine stable, testing, unstable:
- If CI_COMMIT_TAG is set => return stable,
- If CI_PROTECTED_BRANCH is set => return testing,
- otherwise, return unstable
Another workaround could be by using personal tokens, but this method was not explored. For example: Call an exterior in-house API endpoint, that proxies the request to the gitlab API since we can't do that directly.