Skip to main content

GitLab CI/CD

Pull Envshed secrets into your GitLab CI/CD jobs without copying them into project- or group-level CI/CD variables. One token in GitLab, every other secret stays in Envshed.

On the roadmap — target Q3 2026

The first-class GitLab template (include-able job + .gitlab-ci.yml snippet) ships in Q3 2026. The CLI workaround below works today and is what we will recommend for self-managed GitLab once the template ships.

How it will work

  • Single include — one include: remote: line adds an envshed job that fetches secrets and exposes them to downstream jobs via a dotenv artifact.
  • Token in one place — store ENVSHED_TOKEN once as a masked, protected CI/CD variable; everything else lives in Envshed.
  • Per-environment mapping — pick the Envshed environment per pipeline using ENVSHED_ENVIRONMENT, set in rules: or via dotenv from a previous job.
  • Self-managed safe — works against any GitLab version that supports dotenv artifacts (13.0+), including self-hosted instances behind a VPN.

Workaround today

Use the envshed CLI directly inside your job. The dotenv artifact pattern below is the same one the future template will use under the hood.

variables:
  ENVSHED_ENVIRONMENT: production

stages:
  - secrets
  - deploy

fetch-secrets:
  stage: secrets
  image: node:22-slim
  script:
    - npm install -g envshed
    - envshed pull -e $ENVSHED_ENVIRONMENT -o my-org -p backend -f envshed.env --force
  artifacts:
    reports:
      dotenv: envshed.env

deploy:
  stage: deploy
  needs: ["fetch-secrets"]
  script:
    - ./deploy.sh

A few notes on this pattern:

  • Add ENVSHED_TOKEN as a masked, protected CI/CD variable so it is only available to protected branches and never echoed to logs.
  • Use a service token scoped to the environment you are deploying to — never a personal token.
  • Prefer the dotenv artifact pattern over cat envshed.env >> $GITLAB_ENV; the artifact pattern carries values into downstream jobs without writing them to a file other jobs can read.

Want this sooner?

The GitLab template waits behind the Vercel integration on the public roadmap. If GitLab CI is the integration that would unblock your team, email hello@envshed.com with a line about your GitLab version (SaaS or self-managed) — that helps us prioritize.