Configure GitLab CI to use environments with protected variables and deployment tiers for secret isolation across dev, staging, and prod

Verified steps

1. Define environments in .gitlab-ci.yml using the environment: key with name and url: deploy-staging: environment: name: staging; url: https://staging.example.com
2. In GitLab UI under Settings > CI/CD > Variables, set protected variables scoped to the environment: check Protected and set the Environment scope to staging or production — this restricts the variable to jobs running against that environment
3. Create GitLab environments under Deployments > Environments and configure deployment tiers: staging is tier staging, production is tier production — this affects environment-level tracking and dashboards
4. Add required approvals to the production environment under Deployments > Environments > Edit: set Approval rules and Required approvals count so that pipeline jobs targeting production are blocked until approved
5. Reference environment-scoped secrets in job scripts with the same variable name: $DB_URL resolves to the value scoped to the matching environment without branching logic in the YAML
6. Verify isolation with a test: manually override a protected variable in a dev pipeline and confirm it is not accessible in the production deployment job by checking job logs (variables are redacted in logs)