| name | glab-variable |
| description | Manage GitLab CI/CD variables using the glab CLI. Use this skill whenever the user wants to create, list, get, update, delete, or export CI/CD variables for a project or group. Trigger on phrases like "set a CI variable", "add environment variable", "list pipeline variables", "delete a secret", "mask a variable", "set a protected variable", or any GitLab CI/CD variable management task. |
GitLab CI/CD Variable Management
Use glab variable to manage CI/CD variables for projects and groups. Variables are injected into pipeline jobs as environment variables.
Set a Variable (Create or Update)
glab variable set <KEY> -v "<value>"
glab variable set DATABASE_URL -v "postgres://host/db"
glab variable set SECRET_TOKEN -v "abc123" -m
glab variable set PROD_KEY -v "xyz" -p
glab variable set KUBECONFIG -v "$(cat ~/.kube/config)" -t file
glab variable set API_URL -v "https://staging.example.com" -s staging
glab variable set SHARED_KEY -v "value" -g <group-path>
Key flags:
-v value (required)
-m masked (hides value in logs)
-p protected (restricted to protected refs)
-t env_var|file type (default: env_var)
-s <env> environment scope (default: * = all)
-g <group> group-level (instead of project-level)
-r raw (no variable expansion)
--hidden fully hidden (cannot be retrieved after creation)
List Variables
glab variable list
glab variable list -g <group>
glab variable list -O json
Get a Variable
glab variable get <KEY>
glab variable get <KEY> -s production
glab variable get <KEY> -O json
Update a Variable
glab variable update <KEY> -v "<new-value>"
glab variable update <KEY> -v "<new-value>" -m -p
Export Variables (Shell Format)
glab variable export
glab variable export > .env
Delete a Variable
glab variable delete <KEY>
glab variable delete <KEY> -s <env>
Behavior Guidelines
- Secrets always masked: Whenever a variable contains a password, token, key, or any sensitive value, automatically add
-m (masked). This prevents accidental log exposure.
- Production variables: Suggest
-p (protected) for production credentials so they're only available in protected branches.
- Bulk setup: When the user wants to copy variables from a
.env file, read the file and run glab variable set for each line.
- Hidden variables: Use
--hidden for highly sensitive values that should never be retrievable — warn the user that these cannot be viewed after creation.
- Scope: When there are environment-specific values (staging vs production), use
-s <env> to scope them correctly.