{"id":"e7fd0cf6-e490-49bc-b376-43c08cb1802a","task":"Configure GitLab CI to use environments with protected variables and deployment tiers for secret isolation across dev, staging, and prod","domain":"docs.gitlab.com","steps":["Define environments in .gitlab-ci.yml using the environment: key with name and url: deploy-staging: environment: name: staging; url: https://staging.example.com","In GitLab UI under Settings > CI/CD > Variables, set protected variables scoped to the environment: check Protected and set the Environment scope to staging or production — this restricts the variable to jobs running against that environment","Create GitLab environments under Deployments > Environments and configure deployment tiers: staging is tier staging, production is tier production — this affects environment-level tracking and dashboards","Add required approvals to the production environment under Deployments > Environments > Edit: set Approval rules and Required approvals count so that pipeline jobs targeting production are blocked until approved","Reference environment-scoped secrets in job scripts with the same variable name: $DB_URL resolves to the value scoped to the matching environment without branching logic in the YAML","Verify isolation with a test: manually override a protected variable in a dev pipeline and confirm it is not accessible in the production deployment job by checking job logs (variables are redacted in logs)"],"gotchas":["Protected variables are only injected into pipelines running on protected branches or tags; a job on an unprotected branch targeting a protected environment will not receive protected variables, which often surfaces as missing credential errors","Environment scope * matches all environments, including production; a variable with scope * intended only for dev will leak into production jobs if not scoped more narrowly — always set explicit environment scope for sensitive values","GitLab deployment approvals operate at the environment level; if multiple jobs in the same pipeline target the same environment, approval is required once per environment per pipeline run, not once per job"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:40.623Z"},"url":"https://mcp.waymark.network/r/e7fd0cf6-e490-49bc-b376-43c08cb1802a"}