Erick Bajao activity https://gitlab.com/iamricecake 2026-03-18T15:22:57Z tag:gitlab.com,2026-03-18:5218204489 Erick Bajao commented on issue #587627 at GitLab.org / GitLab 2026-03-18T15:22:57Z iamricecake Erick Bajao [email protected]

@fcatteau yes, you are correct. Given we don't deprovision the group secrets manager, once they are moved to a new parent, this will now point to non-existent namespace: https://gitlab.com/gitlab-org/gitlab/-/blob/0295f47dd44b5b735b536f24e4b670a98fae1bc6/ee/app/models/secrets_management/group_secrets_manager.rb#L18-22

 tag:gitlab.com,2026-03-18:5215993638 Erick Bajao approved merge request !227820: docs: Add note about temporary file injection for GitLab Secrets Manager at GitLab.org / GitLab 2026-03-18T07:19:28Z iamricecake Erick Bajao [email protected]

Add a note in the GitLab Secrets Manager documentation explaining that secrets are injected as temporary files, similar to the HashiCorp Vault integration.

This clarifies that the CI/CD variable contains the path to the temporary file, not the secret value itself, and documents the optional file: false parameter to change this behavior.

Changes

  • Updated doc/ci/secrets/secrets_manager/_index.md to include:
    • Explanation that secrets are saved in temporary files
    • Note that the CI/CD variable contains the file path
    • Reference to file-type CI/CD variables for consistency
    • Example showing how to use file: false to get the secret value directly
 tag:gitlab.com,2026-03-17:5213408569 Erick Bajao commented on issue #577345 at GitLab.org / GitLab 2026-03-17T15:04:34Z iamricecake Erick Bajao [email protected]

!226133 (merged) is now merged so we can close this now.

cc @fcatteau

 tag:gitlab.com,2026-03-17:5213406270 Erick Bajao closed issue #577345: Group Secret Rotation Background Job at GitLab.org / GitLab 2026-03-17T15:04:07Z iamricecake Erick Bajao [email protected] tag:gitlab.com,2026-03-16:5209416672 Erick Bajao commented on merge request !226133 at GitLab.org / GitLab 2026-03-16T17:24:02Z iamricecake Erick Bajao [email protected]

This guard is not needed. Our query excludes owners that are blocked or inactive. I also improved the specs to test this behavior specifically.

 tag:gitlab.com,2026-03-16:5209390289 Erick Bajao pushed to project branch eb-group-secrets-rotation-reminder-part-5 at GitLab.org / GitLab 2026-03-16T17:17:21Z iamricecake Erick Bajao [email protected]

Erick Bajao (c85c8b35) at 16 Mar 17:17

Address undercoverage

 tag:gitlab.com,2026-03-16:5209068222 Erick Bajao commented on merge request !214889 at GitLab.org / GitLab 2026-03-16T15:57:54Z iamricecake Erick Bajao [email protected]

@fcatteau @jmallissery I realize we need to update this MR to also do this for the new pipeline CEL auth.

 tag:gitlab.com,2026-03-16:5209060217 Erick Bajao approved merge request !214889: Correlate pipeline, job identifiers in audit logs at GitLab.org / GitLab 2026-03-16T15:56:02Z iamricecake Erick Bajao [email protected]

What does this MR do and why?

Correlate pipeline, job identifiers in audit logs

When pipelines execute against GitLab Secrets Manager, we should pass through the pipeline/job identifier in the OpenBao audit logs. This requires adding the information to the token metadata.

This change does not affect existing projects as we're still in closed experiment. Existing projects can pick up the new behavior by disabling and re-enabling on the project/group level.

References

Issue: #593674

See also: https://gitlab.com/gitlab-org/gitlab/-/issues/577901+

How to set up and validate locally

TBD

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.