CI Variables
omnibus-gitlab CI pipelines use variables provided by the CI environment to change build behavior between mirrors and
keep sensitive data out of the repositories.
Check the table below for more information about the various CI variables used in the pipelines.
Build variables
Required:
These variables are required to build packages in the pipeline.
| Environment Variable | Description |
|---|---|
AWS_SECRET_ACCESS_KEY
| Account secret to read/write the build package to a S3 location. |
AWS_ACCESS_KEY_ID
| Account ID to read/write the build package to a S3 location. |
Available:
These additional variables are available to override or enable different build behavior.
| Environment Variable | Description |
|---|---|
AWS_MAX_ATTEMPTS
| Maximum number of times an S3 command should retry. |
USE_S3_CACHE
| Set to any value and Omnibus will cache fetched software sources in an s3 bucket. Upstream documentation. |
CACHE_AWS_ACCESS_KEY_ID
| Account ID to read/write from the s3 bucket containing the s3 software fetch cache. |
CACHE_AWS_SECRET_ACCESS_KEY
| Account secret to read/write from the s3 bucket containing the s3 software fetch cache. |
CACHE_AWS_BUCKET
| S3 bucket name for the software fetch cache. |
CACHE_AWS_S3_REGION
| S3 bucket region to write/read the software fetch cache. |
CACHE_AWS_S3_ENDPOINT
| The HTTP or HTTPS endpoint to send requests to, when using s3 compatible service. |
CACHE_S3_ACCELERATE
| Setting any value enables the s3 software fetch cache to pull using s3 accelerate. |
SECRET_AWS_SECRET_ACCESS_KEY
| Account secret to read the gpg private package signing key from a secure s3 bucket. |
SECRET_AWS_ACCESS_KEY_ID
| Account ID to read the gpg private package signing key from a secure s3 bucket. |
GPG_PASSPHRASE
| The passphrase needed to use the gpg private package signing key. |
CE_MAX_PACKAGE_SIZE_MB
| The max package size in MB allowed for CE packages before we alert the team and investigate. |
EE_MAX_PACKAGE_SIZE_MB
| The max package size in MB allowed for EE packages before we alert the team and investigate. |
DEV_GITLAB_SSH_KEY
| SSH private key for an account able to read repositories from dev.gitlab.org. Used for SSH Git fetch.
|
BUILDER_IMAGE_REGISTRY
| Registry to pull the CI Job images from. |
BUILD_LOG_LEVEL
| Omnibus build log level. |
ALTERNATIVE_SOURCES
| Switch to the custom sources listed in https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/.custom_sources.yml Defaults to true.
|
OMNIBUS_GEM_SOURCE
| Non-default remote URI to clone the omnibus gem from. |
QA_BUILD_TARGET
| Build specified QA image. See this MR for details. Defaults to qa.
|
GITLAB_ASSETS_TAG
| Tag of the assets image built by the build-assets-image job in the gitlab-org/gitlab pipelines. Defaults to $GITLAB_REF_SLUG or the gitlab-rails version.
|
BUILD_ON_ALL_OS
| Build all OS images without using manual trigger if set to true.
|
Test variables
| Environment Variable | Description |
|---|---|
RAT_REFERENCE_ARCHITECTURE
| Reference architecture template used in pipeline triggered by RAT job. |
RAT_FIPS_REFERENCE_ARCHITECTURE
| Reference architecture template used in pipeline triggered by RAT:FIPS job. |
RAT_PACKAGE_URL
| URL to fetch regular package - for RAT pipeline triggered by RAT job. |
RAT_FIPS_PACKAGE_URL
| URL to fetch FIPS package - for RAT pipeline triggered by RAT job. |
RAT_TRIGGER_TOKEN
| Trigger token for the RAT pipeline. |
RAT_PROJECT_ACCESS_TOKEN
| Project access token for triggering a RAT pipeline. |
OMNIBUS_GITLAB_MIRROR_PROJECT_ACCESS_TOKEN
| Project access token for building a test package. |
CI_SLACK_WEBHOOK_URL
| Webhook URL for Slack failure notifications. |
DANGER_GITLAB_API_TOKEN
| GitLab API token for dangerbot to post comments to MRs. |
DEPS_GITLAB_TOKEN
| Token used by dependencies.io to create MRs. |
DEPS_TOKEN
| Token used by CI to auth to dependencies.io. |
DOCS_API_TOKEN
| Token used by CI to trigger a review-app build of the docs site. |
MANUAL_QA_TEST
| Variable used to decide if the qa-subset-test job should be played automatically or not.
|
Release variables
Required:
These variables are required to release packages built by the pipeline.
| Environment Variable | Description |
|---|---|
STAGING_REPO
| Repository at packages.gitlab.com where releases are uploaded prior to final release.
|
PACKAGECLOUD_USER
| Packagecloud username for pushing packages to packages.gitlab.com.
|
PACKAGECLOUD_TOKEN
| API access token for pushing packages to packages.gitlab.com.
|
LICENSE_S3_BUCKET
| Bucket for storing release license information published on the public page at https://gitlab-org.gitlab.io/omnibus-gitlab/licenses.html.
|
LICENSE_AWS_SECRET_ACCESS_KEY
| Account secret to read/write from the S3 bucket containing license information. |
LICENSE_AWS_ACCESS_KEY_ID
| Account ID to read/write from the S3 bucket containing license information. |
GCP_SERVICE_ACCOUNT
| Used to read/write metrics in Google Object Storage. |
DOCKERHUB_USERNAME
| Username used when pushing the Omnibus GitLab image to Docker Hub. |
DOCKERHUB_PASSWORD
| Password used when pushing the Omnibus GitLab image to Docker Hub. |
AWS_ULTIMATE_LICENSE_FILE
| GitLab Ultimate license to use the Ultimate AWS AMIs. |
AWS_PREMIUM_LICENSE_FILE
| GitLab Premium license to use the Ultimate AWS AMIs. |
AWS_AMI_SECRET_ACCESS_KEY
| Account secret for read/write access to publish the AWS AMIs. |
AWS_AMI_ACCESS_KEY_ID
| Account ID for read/write access to publish the AWS AMIs. |
AWS_MARKETPLACE_ARN
| AWS ARN to allow AWS Marketplace access our official AMIs. |
PACKAGE_PROMOTION_RUNNER_TAG
| Tag associated with the shared runners used to run package promotion jobs. |
Available:
These additional variables are available to override or enable different build behavior.
| Environment Variable | Description |
|---|---|
RELEASE_DEPLOY_ENVIRONMENT
| Deployment name used for gitlab.com deployer trigger if current ref is a stable tag.
|
PATCH_DEPLOY_ENVIRONMENT
| Deployment name used for the gitlab.com deployer trigger if current ref is a release candidate tag.
|
AUTO_DEPLOY_ENVIRONMENT
| Deployment name used for the gitlab.com deployer trigger if current ref is an auto-deploy tag.
|
DEPLOYER_TRIGGER_PROJECT
| GitLab project ID for the repository used for the gitlab.com deployer.
|
DEPLOYER_TRIGGER_TOKEN
| Trigger token for the various gitlab.com deployer environments.
|
RELEASE_BUCKET
| S3 bucket where release packages are pushed. |
BUILDS_BUCKET
| S3 bucket where regular branch packages are pushed. |
RELEASE_BUCKET_REGION
| S3 bucket region. |
RELEASE_BUCKET_S3_ENDPOINT
| Specify S3 endpoint. Especially useful when S3 compatible storage service is adopted. |
GITLAB_BUNDLE_GEMFILE
| Set Gemfile path required by gitlab-rails bundle. Default is Gemfile.
|
GITLAB_COM_PKGS_RELEASE_BUCKET
| GCS bucket where release packages are pushed. |
GITLAB_COM_PKGS_BUILDS_BUCKET
| GCS bucket where regular branch packages are pushed. |
GITLAB_COM_PKGS_SA_FILE
| Service account key used for pushing release packages for SaaS deployments, it must have write access to the pkgs bucket. |
Unknown/outdated variables
| Environment Variable | Description |
|---|---|
VERSION_TOKEN
| |
TAKEOFF_TRIGGER_TOKEN
| |
TAKEOFF_TRIGGER_PROJECT
| |
RELEASE_TRIGGER_TOKEN
| |
GITLAB_DEV
| |
GET_SOURCES_ATTEMPTS
| A GitLab Runner variable used to control how many times runner tries to fetch the Git repository. |
FOG_REGION
| |
FOG_PROVIDER
| |
FOG_DIRECTORY
| |
AWS_RELEASE_TRIGGER_TOKEN
| Used for releases older than 13.10. |
ASSETS_AWS_SECRET_ACCESS_KEY
| |
ASSETS_AWS_ACCESS_KEY_ID
| |
AMI_LICENSE_FILE
|