1.2. 选项 2：使用 CLI 将 secret 和变量添加到 GitLab CI

流程

在首选文本编辑器中使用两个文件创建项目，如 Visual Studio Code：
- env_vars.sh
- glab-set-vars

使用以下环境变量更新 env_vars.sh 文件：

env_vars.sh
# GitLab credentials
export MY_GITLAB_TOKEN="your_gitlab_token_here"
export MY_GITLAB_USER="your_gitlab_username_here"


// Add credentials for an image repository that you use
# Quay.io credentials
export QUAY_IO_CREDS_USR="your_quay_username_here"
export QUAY_IO_CREDS_PSW="your_quay_password_here"

or JFrog Artifactory credenditals
export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"

or Sonatype Nexus credentials
export NEXUS_IO_CREDS_USR="your_nexus_username_here"
export NEXUS_IO_CREDS_PSW="your_nexus_password_here"

// Variables required for ACS tasks
# ROX variables
export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
export ROX_API_TOKEN="your_rox_api_token_here"

// Variables required for SBOM tasks.
# Cosign secrets
export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"

# Trustification credentials
export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"

// Set these variables if your CI provider runners do not run
on the same cluster as the {ProductShortName} instance.
# Rekor and TUF routes
export REKOR_HOST="your rekor server url here"
export TUF_MIRROR="your tuf service url here"

# env_vars.sh
# GitLab credentials
export MY_GITLAB_TOKEN="your_gitlab_token_here"
export MY_GITLAB_USER="your_gitlab_username_here"


// Add credentials for an image repository that you use
# Quay.io credentials
export QUAY_IO_CREDS_USR="your_quay_username_here"
export QUAY_IO_CREDS_PSW="your_quay_password_here"

# or JFrog Artifactory credenditals
export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"

# or Sonatype Nexus credentials
export NEXUS_IO_CREDS_USR="your_nexus_username_here"
export NEXUS_IO_CREDS_PSW="your_nexus_password_here"

// Variables required for ACS tasks
# ROX variables
export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
export ROX_API_TOKEN="your_rox_api_token_here"

// Variables required for SBOM tasks.
# Cosign secrets
export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"

# Trustification credentials
export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"

// Set these variables if your CI provider runners do not run
on the same cluster as the {ProductShortName} instance.
# Rekor and TUF routes
export REKOR_HOST="your rekor server url here"
export TUF_MIRROR="your tuf service url here"

Copy to Clipboard

Toggle word wrap

使用以下信息更新 glab-set-vars 文件：

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "Missing param, provide gitlab repo name"
    echo "Note: This script uses MY_GITLAB_TOKEN and MY_GITLAB_USER env vars"
    exit
fi

REPO=$1
HEADER="PRIVATE-TOKEN: $MY_GITLAB_TOKEN"
URL=https://gitlab.com/api/v4/projects

# Lookup the project id so we can use it below
PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITLAB_USER%2F${REPO//.git/}" | jq ".id")

function setVars() {
    NAME=$1
    VALUE=$2
    MASKED=${3:-true}
    echo "setting $NAME in https://gitlab.com/$MY_GITLAB_USER/$REPO"

    # Delete first because if the secret already exists then its value
    # won't be changed by the POST below
    curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"

    # Set the new key/value
    curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
        --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
}

setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT false
setVars ROX_API_TOKEN $ROX_API_TOKEN

setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER false

# Depending on which image repository you use, set:
setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR false
setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW
or
setVars ARTIFACTORY_IO_CREDS_USR "$ARTIFACTORY_IO_CREDS_USR" false
setVars ARTIFACTORY_IO_CREDS_PSW "$ARTIFACTORY_IO_CREDS_PSW"
or
setVars NEXUS_IO_CREDS_USR "$NEXUS_IO_CREDS_USR" false
setVars NEXUS_IO_CREDS_PSW "$NEXUS_IO_CREDS_PSW"

setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false

setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL" false
setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL" false
setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID" false
setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION" false

# If you need to use the Rekor and TUF variables and you've added them
to env_vars.sh, set them here too:

setVars REKOR_HOST "$REKOR_HOST" false
setVars TUF_MIRROR "$TUF_MIRROR" false

bash $SCRIPTDIR/glab-get-vars $1

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "Missing param, provide gitlab repo name"
    echo "Note: This script uses MY_GITLAB_TOKEN and MY_GITLAB_USER env vars"
    exit
fi

REPO=$1
HEADER="PRIVATE-TOKEN: $MY_GITLAB_TOKEN"
URL=https://gitlab.com/api/v4/projects

# Lookup the project id so we can use it below
PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITLAB_USER%2F${REPO//.git/}" | jq ".id")

function setVars() {
    NAME=$1
    VALUE=$2
    MASKED=${3:-true}
    echo "setting $NAME in https://gitlab.com/$MY_GITLAB_USER/$REPO"

    # Delete first because if the secret already exists then its value
    # won't be changed by the POST below
    curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"

    # Set the new key/value
    curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
        --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
}

setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT false
setVars ROX_API_TOKEN $ROX_API_TOKEN

setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER false

# Depending on which image repository you use, set:
setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR false
setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW
# or
setVars ARTIFACTORY_IO_CREDS_USR "$ARTIFACTORY_IO_CREDS_USR" false
setVars ARTIFACTORY_IO_CREDS_PSW "$ARTIFACTORY_IO_CREDS_PSW"
# or
setVars NEXUS_IO_CREDS_USR "$NEXUS_IO_CREDS_USR" false
setVars NEXUS_IO_CREDS_PSW "$NEXUS_IO_CREDS_PSW"

setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false

setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL" false
setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL" false
setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID" false
setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION" false

# If you need to use the Rekor and TUF variables and you've added them
# to env_vars.sh, set them here too:

setVars REKOR_HOST "$REKOR_HOST" false
setVars TUF_MIRROR "$TUF_MIRROR" false

bash $SCRIPTDIR/glab-get-vars $1

Copy to Clipboard

Toggle word wrap

注意

默认情况下，setVars 函数会创建一个变量作为 secret，此变量的值不会在 UI 和日志中显示。要创建未屏蔽的变量，请在设置它的行末尾添加 false。例如：

setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false

setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false

Copy to Clipboard

Toggle word wrap

将环境变量加载到当前 shell 会话中：
```
source env_vars.sh
```
```
source env_vars.sh
```
Copy to Clipboard Toggle word wrap
使 glab-set-vars 脚本可执行，并使用您的存储库名称运行它，以在 GitLab 存储库中设置变量。
```
chmod +x glab-set-vars

./glab-set-vars your_repository_name
```
```
chmod +x glab-set-vars

./glab-set-vars your_repository_name
```
Copy to Clipboard Toggle word wrap
重新运行最后的管道运行，以验证 secret 是否已正确应用。
1. 或者，切换到 GitLab 中应用的源存储库，进行次要更改，并提交它以触发新的管道运行。

更新于 2025-09-06

1.2. 选项 2：使用 CLI 将 secret 和变量添加到 GitLab CI

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links