Add check to export data script for variable type
Background
Wrong CI ENV variable type can lead to security breach incident like: https://gitlab.com/gitlab-sirt/incident_3555/-/issues/1#note_1368424305
It completes request from https://gitlab.com/gitlab-sirt/incident_3555/-/issues/1#note_1367754955 resolves https://gitlab.com/gitlab-org/analytics-section/product-intelligence/metrics-library/-/issues/1
Goal
Check variable type before it will be used for authentication that can cause data leaking.
Verification
Here is job log that run before correct safeguard was added https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4181930165
And here is one that have run with safeguard https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4181969206
And another with safe guard when correct variable type is set https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4182175231
Final scenario where CI ENV variable (GOOGLE_PROJECT_ID
) type is set to file
when it should be variable
. In that case it looks that variable content is not exposed https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4182783373
You can trigger new jobs from https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/pipeline_schedules/375132/edit to see it fail
or change env type of GCLOUD_SERVICE_KEY
to file, and see type validation passing through