GitLab CI/CD - Automated Setup

Set up GitLab CI/CD variables from the SikkerKey dashboard using OAuth.

SikkerKey can automatically configure your GitLab project for CI/CD -- generating a machine identity, pushing CI/CD variables, and adding the pipeline file -- all from the dashboard. No CLI commands, no copying credentials, no touching GitLab Settings.

How It Works

  1. From the dashboard, go to Integrations and expand GitLab CI/CD
  2. Click Connect GitLab to authorize SikkerKey via OAuth
  3. Select a GitLab project, a SikkerKey project, and which secrets to grant access to
  4. Choose whether to add the pipeline file via merge request or direct commit
  5. Click Set up

SikkerKey handles everything:

  • Generates an Ed25519 keypair for the CI machine
  • Registers and auto-approves the machine
  • Grants access to your selected secrets
  • Pushes the four required CI/CD variables (SIKKERKEY_VAULT_ID, SIKKERKEY_MACHINE_ID, SIKKERKEY_PRIVATE_KEY, SIKKERKEY_PROJECT_ID) to your project
  • Optionally commits the pipeline file or opens a merge request

After Setup

If you chose Merge Request, merge the MR to activate the pipeline. If you chose Direct Commit, the pipeline runs on the next push.

If your project already has a .gitlab-ci.yml, SikkerKey commits the configuration as .gitlab-ci-sikkerkey.yml. Add the following to your existing pipeline:

include:
  - local: '.gitlab-ci-sikkerkey.yml'

If no .gitlab-ci.yml exists, SikkerKey creates one that includes the configuration automatically.

Managing Configured Projects

Projects you've already set up are shown at the top of the GitLab panel on the Integrations page. From there you can:

  • Disconnect a project -- revokes the machine, deletes the four CI/CD variables, and removes the pipeline file
  • Set up another project using the form below the configured list

Machines created through the GitLab integration also appear on the Machines page like any other machine.

Disconnecting

Click Disconnect on the Integrations page to remove the GitLab OAuth connection from SikkerKey. Disconnect all configured projects first to clean up their CI/CD variables.

Security

  • Encrypted tokens. OAuth tokens are encrypted with the server encryption key and stored in the database. They are never exposed to users after the initial authorization.
  • Scoped access. SikkerKey requests the api scope, which is the minimum required to manage CI/CD variables and commit files.
  • File type variables. The private key is stored as a file type CI/CD variable. GitLab writes the content to a temporary file -- the key never appears in job logs.
  • Auto-approved machine. The CI machine is auto-approved because you initiated the setup from an authenticated dashboard session. It follows the same Ed25519 authentication model as every other machine.
  • Private key handling. The machine's private key is generated server-side, pushed as a CI/CD variable, and immediately discarded. It is never stored in SikkerKey.
  • Audit logged. Connection, setup, disconnect, and cleanup actions are all recorded in your audit log.

Requirements

  • A GitLab account with maintainer access to the target project (required to create CI/CD variables)
  • The project must have at least one commit

When to Use Manual Setup Instead

Use the manual setup if:

  • Your organization restricts third-party OAuth applications
  • You need to customize the bootstrap process