Cheat Sheet logoCheat Sheet Today
CI/CD Pipelines: Security, Secrets, and Governance/Protect production variables in GitLab

Restrict sensitive variables to protected branches or tags.

Back to sheetBrowse commands
Sign in to save
Section: Harden pipeline credentials and permissions

Protect production variables in GitLab

yaml
yaml
deploy_production:
  stage: deploy
  only:
    - main
Explanation

Pair protected branches/tags with protected variables so untrusted branches cannot access deploy secrets.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing Harden pipeline credentials and permissions
Use least-privilege permissions in GitHub Actions
Explicitly scope the token for each workflow or job.
OpenIn sheetyamlsame section
Use OIDC instead of long-lived cloud keys
Exchange a short-lived identity token for cloud credentials.
OpenIn sheetyamlsame section
Pin actions to a version or commit
Avoid floating references for critical workflow dependencies.
OpenIn sheetyaml
Be careful with untrusted pull requests
Avoid exposing secrets to code from forks.
OpenIn sheetyaml
Require approval for production release
Add environment rules or manual gates before prod deploys.
OpenIn sheettext