Add latest changes from gitlab-org/gitlab@master

10 files changed, 312 insertions, 148 deletions

diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 1137e67bb42..d5e80e0549f 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -23819,6 +23819,7 @@ Represents vulnerability finding of a security report on the pipeline.
 | <a id="projectdetailedimportstatus"></a>`detailedImportStatus` | [`DetailedImportStatus`](#detailedimportstatus) | Detailed import status of the project. |
 | <a id="projectdora"></a>`dora` | [`Dora`](#dora) | Project's DORA metrics. |
 | <a id="projectflowmetrics"></a>`flowMetrics` **{warning-solid}** | [`ProjectValueStreamAnalyticsFlowMetrics`](#projectvaluestreamanalyticsflowmetrics) | **Introduced** in 15.10. This feature is an Experiment. It can be changed or removed at any time. Flow metrics for value stream analytics. |
+| <a id="projectforkingaccesslevel"></a>`forkingAccessLevel` | [`ProjectFeatureAccess`](#projectfeatureaccess) | Access level required for forking access. |
 | <a id="projectforkscount"></a>`forksCount` | [`Int!`](#int) | Number of times the project has been forked. |
 | <a id="projectfullpath"></a>`fullPath` | [`ID!`](#id) | Full path of the project. |
 | <a id="projectgrafanaintegration"></a>`grafanaIntegration` | [`GrafanaIntegration`](#grafanaintegration) | Grafana integration details for the project. |
@@ -23829,6 +23830,7 @@ Represents vulnerability finding of a security report on the pipeline.
 | <a id="projectimportstatus"></a>`importStatus` | [`String`](#string) | Status of import background job of the project. |
 | <a id="projectincidentmanagementtimelineeventtags"></a>`incidentManagementTimelineEventTags` | [`[TimelineEventTagType!]`](#timelineeventtagtype) | Timeline event tags for the project. |
 | <a id="projectiscatalogresource"></a>`isCatalogResource` **{warning-solid}** | [`Boolean`](#boolean) | **Introduced** in 15.11. This feature is an Experiment. It can be changed or removed at any time. Indicates if a project is a catalog resource. |
+| <a id="projectissuesaccesslevel"></a>`issuesAccessLevel` | [`ProjectFeatureAccess`](#projectfeatureaccess) | Access level required for issues access. |
 | <a id="projectissuesenabled"></a>`issuesEnabled` | [`Boolean`](#boolean) | Indicates if Issues are enabled for the current user. |
 | <a id="projectjiraimportstatus"></a>`jiraImportStatus` | [`String`](#string) | Status of Jira import background job of the project. |
 | <a id="projectjiraimports"></a>`jiraImports` | [`JiraImportConnection`](#jiraimportconnection) | Jira imports into the project. (see [Connections](#connections)) |
@@ -23837,6 +23839,7 @@ Represents vulnerability finding of a security report on the pipeline.
 | <a id="projectlastactivityat"></a>`lastActivityAt` | [`Time`](#time) | Timestamp of the project last activity. |
 | <a id="projectlfsenabled"></a>`lfsEnabled` | [`Boolean`](#boolean) | Indicates if the project has Large File Storage (LFS) enabled. |
 | <a id="projectmergecommittemplate"></a>`mergeCommitTemplate` | [`String`](#string) | Template used to create merge commit message in merge requests. |
+| <a id="projectmergerequestsaccesslevel"></a>`mergeRequestsAccessLevel` | [`ProjectFeatureAccess`](#projectfeatureaccess) | Access level required for merge requests access. |
 | <a id="projectmergerequestsdisablecommittersapproval"></a>`mergeRequestsDisableCommittersApproval` | [`Boolean!`](#boolean) | Indicates that committers of the given merge request cannot approve. |
 | <a id="projectmergerequestsenabled"></a>`mergeRequestsEnabled` | [`Boolean`](#boolean) | Indicates if Merge Requests are enabled for the current user. |
 | <a id="projectmergerequestsffonlyenabled"></a>`mergeRequestsFfOnlyEnabled` | [`Boolean`](#boolean) | Indicates if no merge commits should be created and all merges should instead be fast-forwarded, which means that merging is only allowed if the branch could be fast-forwarded. |
@@ -23847,6 +23850,7 @@ Represents vulnerability finding of a security report on the pipeline.
 | <a id="projectonlyallowmergeifallstatuscheckspassed"></a>`onlyAllowMergeIfAllStatusChecksPassed` | [`Boolean`](#boolean) | Indicates that merges of merge requests should be blocked unless all status checks have passed. |
 | <a id="projectonlyallowmergeifpipelinesucceeds"></a>`onlyAllowMergeIfPipelineSucceeds` | [`Boolean`](#boolean) | Indicates if merge requests of the project can only be merged with successful jobs. |
 | <a id="projectopenissuescount"></a>`openIssuesCount` | [`Int`](#int) | Number of open issues for the project. |
+| <a id="projectopenmergerequestscount"></a>`openMergeRequestsCount` | [`Int`](#int) | Number of open merge requests for the project. |
 | <a id="projectpackagescleanuppolicy"></a>`packagesCleanupPolicy` | [`PackagesCleanupPolicy`](#packagescleanuppolicy) | Packages cleanup policy for the project. |
 | <a id="projectpackagesprotectionrules"></a>`packagesProtectionRules` | [`PackagesProtectionRuleConnection`](#packagesprotectionruleconnection) | Packages protection rules for the project. (see [Connections](#connections)) |
 | <a id="projectpath"></a>`path` | [`String!`](#string) | Path of the project. |
@@ -25373,6 +25377,17 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="projectdatatransferegressnodes"></a>`egressNodes` | [`EgressNodeConnection`](#egressnodeconnection) | Data nodes. (see [Connections](#connections)) |
 | <a id="projectdatatransfertotalegress"></a>`totalEgress` | [`BigInt`](#bigint) | Total egress for that project in that period of time. |
 
+### `ProjectFeatureAccess`
+
+Represents the access level required by the user to access a project feature.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="projectfeatureaccessintegervalue"></a>`integerValue` | [`Int`](#int) | Integer representation of access level. |
+| <a id="projectfeatureaccessstringvalue"></a>`stringValue` | [`ProjectFeatureAccessLevel`](#projectfeatureaccesslevel) | String representation of access level. |
+
 ### `ProjectMember`
 
 Represents a Project Membership.
@@ -30740,6 +30755,16 @@ Current state of the product analytics stack.
 | <a id="productanalyticsstateloading_instance"></a>`LOADING_INSTANCE` | Stack is currently initializing. |
 | <a id="productanalyticsstatewaiting_for_events"></a>`WAITING_FOR_EVENTS` | Stack is waiting for events from users. |
 
+### `ProjectFeatureAccessLevel`
+
+Access level of a project feature.
+
+| Value | Description |
+| ----- | ----------- |
+| <a id="projectfeatureaccessleveldisabled"></a>`DISABLED` | Not enabled for anyone. |
+| <a id="projectfeatureaccesslevelenabled"></a>`ENABLED` | Enabled for everyone able to access the project. |
+| <a id="projectfeatureaccesslevelprivate"></a>`PRIVATE` | Enabled only for team members. |
+
 ### `ProjectMemberRelation`
 
 Project member relation.
diff --git a/doc/architecture/blueprints/ci_gcp_secrets_manager/index.md b/doc/architecture/blueprints/ci_gcp_secrets_manager/index.md
new file mode 100644
index 00000000000..250c18c02c0
--- /dev/null
+++ b/doc/architecture/blueprints/ci_gcp_secrets_manager/index.md
@@ -0,0 +1,107 @@
+---
+status: proposed
+creation-date: "2023-11-29"
+authors: [ "@alberts-gitlab" ]
+coach: "@grzesiek"
+approvers: [ "@jocelynjane", "@shampton" ]
+owning-stage: "~devops::verify"
+participating-stages: []
+---
+
+<!-- Blueprints often contain forward-looking statements -->
+<!-- vale gitlab.FutureTense = NO -->
+
+# Support GCP Secrets Manager for CI External Secrets
+
+## Summary
+
+This blueprint describes the architecture to add GCP Secrets Manager as one of the
+sources for CI External Secrets.
+
+## Motivation
+
+GitLab CI allows users to pull secrets from external sources into GitLab CI jobs.
+Prior to this, the supported secret managers are HashiCorp Vault and Azure Key Vault.
+GCP Secrets Manager is another major secret manager product and there has been
+multiple requests and feedback to add GCP Secrets Manager to the list of
+supported secret managers.
+
+### Goals
+
+The goal of this feature is to allow GitLab CI users to use secrets stored in
+GCP Secrets Manager in their CI jobs.
+
+### Non-Goals
+
+This feature does not cover the following:
+
+- Using secrets from GCP Secrets Manager in other GitLab workloads.
+- Managing secrets in GCP Secrets Manager or other secret managers through GitLab.
+
+## Proposal
+
+This feature requires a tight integration between GCP Secrets Manager, GitLab Rails and GitLab Runner.
+
+The solution to this feature involves three main parts:
+
+1. Authentication with GCP Secrets Manager
+1. CI configuration on GitLab Rails
+1. Secrets access by GitLab Runner
+
+### Authentication with GCP Secrets Manager
+
+GCP Secrets Manager needs to authenticate secret access requests coming from GitLab Runner.
+Since GitLab Runner can operate in many modes (GitLab.com SaaS runners, SaaS with self-managed runner, GitLab Self-Managed, etc),
+there is no direct correlation between the Runner instance and any GCP identities that can have access to the secrets.
+
+To solve this, we would use OIDC and GCP's Workload Identity Federation mechanism to authorize the requests.
+
+CI jobs already have support for OIDC through CI variables containing ID tokens issued by the GitLab instance.
+These ID tokens already carry `claim`s that describe the context of the CI job.
+For example, it includes details such as `group_id`, `group_path`, `project_id`, and `project_path`.
+
+On the GCP side, Workload Identity Federation allows the use of OIDC to grant GCP IAM roles to the external identities
+represented by the ID tokens. Through Workload Identity Federation, the GCP user can grant specific IAM roles to
+specific principals identified through the OIDC `claim`. For example, a particular `group_id` claim can be given an IAM role
+to access a particular set of secrets in GCP Secrets Manager. This would allow the GCP user to grant granular
+access to the secrets in GCP Secrets Manager.
+
+### CI configuration on GitLab Rails
+
+GitLab Rails will be the interface where users configure the CI jobs. For the GCP Secrets Manager integration,
+there needs to be additional configuration to specify GCP Secrets Manager as a source for external secrets as well as
+GCP specific information in order to enable authentication between GitLab Runner and GCP Secrets Manager.
+
+The proposed CI keyword would be the following:
+
+```yaml
+job_name:
+  id_tokens:
+    GCP_SM_ID_TOKEN:
+      aud: https://iam.googleapis.com/projects/$GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/$GCP_WORKLOAD_FEDERATION_POOL_ID/providers/$GCP_WORKLOAD_FEDERATION_PROVIDER_ID # or a custom audience as configured in GCP Workload Identity Pool Provider.
+  secrets:
+    DATABASE_PASSWORD:
+      gcp_sm:
+        name: my-project-secret  # This is the name of the secret defined in GCP Secrets Manager
+        version: 1               # optional: default to `latest`.
+      token: GCP_SM_ID_TOKEN
+```
+
+In addition, GitLab Runner needs to know the following in order to perform the authentication and access the secret.
+These should be included as CI variables in the job.
+
+- GCP Project Number `GCP_PROJECT_NUMBER`
+- GCP Workload Federation Pool ID `GCP_WORKLOAD_FEDERATION_POOL_ID`
+- GCP Workload Federation Provider ID `GCP_WORKLOAD_FEDERATION_PROVIDER_ID`
+
+### Secrets access by GitLab Runner
+
+Based on the job specification defined above, GitLab Runner needs to implement the following:
+
+1. OIDC authentication with GCP Secure Token Service to obtain an access token.
+1. Secret access requests to GCP Secrets Manager to obtain the payload of the desired secret version.
+1. Adding the secrets to the build.
+
+## Alternative Solutions
+
+N/A.
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index 93b08cb2968..0ff1c2bf14e 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -9,142 +9,147 @@ type: reference
 
 Predefined [CI/CD variables](index.md) are available in every GitLab CI/CD pipeline.
 
-Some variables are only available with more recent versions of [GitLab Runner](https://docs.gitlab.com/runner/).
+Predefined CI/CD variables become available at two different phases of pipeline execution.
+Some variables are available when GitLab creates the pipeline, and can be used to configure
+the pipeline or in job scripts. The other variables become available when a runner runs the job,
+and can only be used in job scripts.
 
-You can [output the values of all variables available for a job](index.md#list-all-variables)
-with a `script` command.
+Predefined variables made available by the runner cannot be used with [trigger jobs](../pipelines/downstream_pipelines.md#trigger-a-downstream-pipeline-from-a-job-in-the-gitlab-ciyml-file)
+or these keywords:
 
-There are also a number of [variables you can use to configure runner behavior](../runners/configure_runners.md#configure-runner-behavior-with-variables) globally or for individual jobs.
+- [`workflow`](../yaml/index.md#workflow)
+- [`include`](../yaml/index.md#include)
+- [`rules`](../yaml/index.md#rules)
 
 NOTE:
-You should avoid [overriding](index.md#override-a-defined-cicd-variable) predefined variables,
+Avoid [overriding](index.md#override-a-defined-cicd-variable) predefined variables,
 as it can cause the pipeline to behave unexpectedly.
 
-| Variable                                 | GitLab | Runner | Description |
-|------------------------------------------|--------|--------|-------------|
-| `CHAT_CHANNEL`                           | 10.6   | all    | The Source chat channel that triggered the [ChatOps](../chatops/index.md) command. |
-| `CHAT_INPUT`                             | 10.6   | all    | The additional arguments passed with the [ChatOps](../chatops/index.md) command. |
-| `CHAT_USER_ID`                           | 14.4   | all    | The chat service's user ID of the user who triggered the [ChatOps](../chatops/index.md) command. |
-| `CI`                                     | all    | 0.4    | Available for all jobs executed in CI/CD. `true` when available. |
-| `CI_API_V4_URL`                          | 11.7   | all    | The GitLab API v4 root URL. |
-| `CI_API_GRAPHQL_URL`                     | 15.11  | all    | The GitLab API GraphQL root URL. |
-| `CI_BUILDS_DIR`                          | all    | 11.10  | The top-level directory where builds are executed. |
-| `CI_COMMIT_AUTHOR`                       | 13.11  | all    | The author of the commit in `Name <email>` format. |
-| `CI_COMMIT_BEFORE_SHA`                   | 11.2   | all    | The previous latest commit present on a branch or tag. Is always `0000000000000000000000000000000000000000` for merge request pipelines, the first commit in pipelines for branches or tags, or when manually running a pipeline. |
-| `CI_COMMIT_BRANCH`                       | 12.6   | 0.5    | The commit branch name. Available in branch pipelines, including pipelines for the default branch. Not available in merge request pipelines or tag pipelines. |
-| `CI_COMMIT_DESCRIPTION`                  | 10.8   | all    | The description of the commit. If the title is shorter than 100 characters, the message without the first line. |
-| `CI_COMMIT_MESSAGE`                      | 10.8   | all    | The full commit message. |
-| `CI_COMMIT_REF_NAME`                     | 9.0    | all    | The branch or tag name for which project is built. |
-| `CI_COMMIT_REF_PROTECTED`                | 11.11  | all    | `true` if the job is running for a protected reference, `false` otherwise. |
-| `CI_COMMIT_REF_SLUG`                     | 9.0    | all    | `CI_COMMIT_REF_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in URLs, host names and domain names. |
-| `CI_COMMIT_SHA`                          | 9.0    | all    | The commit revision the project is built for. |
-| `CI_COMMIT_SHORT_SHA`                    | 11.7   | all    | The first eight characters of `CI_COMMIT_SHA`. |
-| `CI_COMMIT_TAG`                          | 9.0    | 0.5    | The commit tag name. Available only in pipelines for tags. |
-| `CI_COMMIT_TAG_MESSAGE`                  | 15.5   | all    | The commit tag message. Available only in pipelines for tags. |
-| `CI_COMMIT_TIMESTAMP`                    | 13.4   | all    | The timestamp of the commit in the [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. |
-| `CI_COMMIT_TITLE`                        | 10.8   | all    | The title of the commit. The full first line of the message. |
-| `CI_CONCURRENT_ID`                       | all    | 11.10  | The unique ID of build execution in a single executor. |
-| `CI_CONCURRENT_PROJECT_ID`               | all    | 11.10  | The unique ID of build execution in a single executor and project. |
-| `CI_CONFIG_PATH`                         | 9.4    | 0.5    | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`. Read-only inside a running pipeline. |
-| `CI_DEBUG_TRACE`                         | all    | 1.7    | `true` if [debug logging (tracing)](index.md#enable-debug-logging) is enabled. |
-| `CI_DEBUG_SERVICES`                      | 15.7   | 15.7   | `true` if [service container logging](../services/index.md#capturing-service-container-logs) is enabled. |
-| `CI_DEFAULT_BRANCH`                      | 12.4   | all    | The name of the project's default branch. |
-| `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX` | 13.7   | all    | The top-level group image prefix for pulling images through the Dependency Proxy. |
-| `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` | 14.3   | all    | The direct group image prefix for pulling images through the Dependency Proxy. |
-| `CI_DEPENDENCY_PROXY_PASSWORD`           | 13.7   | all    | The password to pull images through the Dependency Proxy. |
-| `CI_DEPENDENCY_PROXY_SERVER`             | 13.7   | all    | The server for logging in to the Dependency Proxy. This is equivalent to `$CI_SERVER_HOST:$CI_SERVER_PORT`. |
-| `CI_DEPENDENCY_PROXY_USER`               | 13.7   | all    | The username to pull images through the Dependency Proxy. |
-| `CI_DEPLOY_FREEZE`                       | 13.2   | all    | Only available if the pipeline runs during a [deploy freeze window](../../user/project/releases/index.md#prevent-unintentional-releases-by-setting-a-deploy-freeze). `true` when available. |
-| `CI_DEPLOY_PASSWORD`                     | 10.8   | all    | The authentication password of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), if the project has one. |
-| `CI_DEPLOY_USER`                         | 10.8   | all    | The authentication username of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), if the project has one. |
-| `CI_DISPOSABLE_ENVIRONMENT`              | all    | 10.1   | Only available if the job is executed in a disposable environment (something that is created only for this job and disposed of/destroyed after the execution - all executors except `shell` and `ssh`). `true` when available. |
-| `CI_ENVIRONMENT_NAME`                    | 8.15   | all    | The name of the environment for this job. Available if [`environment:name`](../yaml/index.md#environmentname) is set. |
-| `CI_ENVIRONMENT_SLUG`                    | 8.15   | all    | The simplified version of the environment name, suitable for inclusion in DNS, URLs, Kubernetes labels, and so on. Available if [`environment:name`](../yaml/index.md#environmentname) is set. The slug is [truncated to 24 characters](https://gitlab.com/gitlab-org/gitlab/-/issues/20941). A random suffix is automatically added to [uppercase environment names](https://gitlab.com/gitlab-org/gitlab/-/issues/415526). |
-| `CI_ENVIRONMENT_URL`                     | 9.3    | all    | The URL of the environment for this job. Available if [`environment:url`](../yaml/index.md#environmenturl) is set. |
-| `CI_ENVIRONMENT_ACTION`                  | 13.11  | all    | The action annotation specified for this job's environment. Available if [`environment:action`](../yaml/index.md#environmentaction) is set. Can be `start`, `prepare`, or `stop`. |
-| `CI_ENVIRONMENT_TIER`                    | 14.0   | all    | The [deployment tier of the environment](../environments/index.md#deployment-tier-of-environments) for this job. |
-| `CI_RELEASE_DESCRIPTION`                 | 15.5   | all    | The description of the release. Available only on pipelines for tags. Description length is limited to first 1024 characters.|
-| `CI_GITLAB_FIPS_MODE`                    | 14.10  | all    | Only available if [FIPS mode](../../development/fips_compliance.md) is enabled in the GitLab instance. `true` when available. |
-| `CI_HAS_OPEN_REQUIREMENTS`               | 13.1   | all    | Only available if the pipeline's project has an open [requirement](../../user/project/requirements/index.md). `true` when available. |
-| `CI_JOB_ID`                              | 9.0    | all    | The internal ID of the job, unique across all jobs in the GitLab instance. |
-| `CI_JOB_IMAGE`                           | 12.9   | 12.9   | The name of the Docker image running the job. |
-| `CI_JOB_JWT` (Deprecated)                | 12.10  | all    | A RS256 JSON web token to authenticate with third party systems that support JWT authentication, for example [HashiCorp's Vault](../secrets/index.md). [Deprecated in GitLab 15.9](../../update/deprecations.md#old-versions-of-json-web-tokens-are-deprecated) and scheduled to be removed in GitLab 17.0. Use [ID tokens](../yaml/index.md#id_tokens) instead. |
-| `CI_JOB_JWT_V1` (Deprecated)             | 14.6   | all    | The same value as `CI_JOB_JWT`. [Deprecated in GitLab 15.9](../../update/deprecations.md#old-versions-of-json-web-tokens-are-deprecated) and scheduled to be removed in GitLab 17.0. Use [ID tokens](../yaml/index.md#id_tokens) instead. |
-| `CI_JOB_JWT_V2` (Deprecated)             | 14.6   | all    | A newly formatted RS256 JSON web token to increase compatibility. Similar to `CI_JOB_JWT`, except the issuer (`iss`) claim is changed from `gitlab.com` to `https://gitlab.com`, `sub` has changed from `job_id` to a string that contains the project path, and an `aud` claim is added. The `aud` field is a constant value. Trusting JWTs in multiple relying parties can lead to [one RP sending a JWT to another one and acting maliciously as a job](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72555#note_769112331). [Deprecated in GitLab 15.9](../../update/deprecations.md#old-versions-of-json-web-tokens-are-deprecated) and scheduled to be removed in GitLab 17.0. Use [ID tokens](../yaml/index.md#id_tokens) instead. |
-| `CI_JOB_MANUAL`                          | 8.12   | all    | Only available if the job was started manually. `true` when available. |
-| `CI_JOB_NAME`                            | 9.0    | 0.5    | The name of the job. |
-| `CI_JOB_NAME_SLUG`                       | 15.4   | all    | `CI_JOB_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in paths. |
-| `CI_JOB_STAGE`                           | 9.0    | 0.5    | The name of the job's stage. |
-| `CI_JOB_STATUS`                          | all    | 13.5   | The status of the job as each runner stage is executed. Use with [`after_script`](../yaml/index.md#after_script). Can be `success`, `failed`, or `canceled`. |
-| `CI_JOB_TIMEOUT`                         | 15.7   | 15.7   | The job timeout, in seconds. |
-| `CI_JOB_TOKEN`                           | 9.0    | 1.2    | A token to authenticate with [certain API endpoints](../jobs/ci_job_token.md). The token is valid as long as the job is running. |
-| `CI_JOB_URL`                             | 11.1   | 0.5    | The job details URL. |
-| `CI_JOB_STARTED_AT`                      | 13.10  | all    | The UTC datetime when a job started, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. |
-| `CI_KUBERNETES_ACTIVE`                   | 13.0   | all    | Only available if the pipeline has a Kubernetes cluster available for deployments. `true` when available. |
-| `CI_NODE_INDEX`                          | 11.5   | all    | The index of the job in the job set. Only available if the job uses [`parallel`](../yaml/index.md#parallel). |
-| `CI_NODE_TOTAL`                          | 11.5   | all    | The total number of instances of this job running in parallel. Set to `1` if the job does not use [`parallel`](../yaml/index.md#parallel). |
-| `CI_OPEN_MERGE_REQUESTS`                 | 13.8   | all    | A comma-separated list of up to four merge requests that use the current branch and project as the merge request source. Only available in branch and merge request pipelines if the branch has an associated merge request. For example, `gitlab-org/gitlab!333,gitlab-org/gitlab-foss!11`. |
-| `CI_PAGES_DOMAIN`                        | 11.8   | all    | The configured domain that hosts GitLab Pages. |
-| `CI_PAGES_URL`                           | 11.8   | all    | The URL for a GitLab Pages site. Always a subdomain of `CI_PAGES_DOMAIN`. |
-| `CI_PIPELINE_ID`                         | 8.10   | all    | The instance-level ID of the current pipeline. This ID is unique across all projects on the GitLab instance. |
-| `CI_PIPELINE_IID`                        | 11.0   | all    | The project-level IID (internal ID) of the current pipeline. This ID is unique only within the current project. |
-| `CI_PIPELINE_SOURCE`                     | 10.0   | all    | How the pipeline was triggered. Can be `push`, `web`, `schedule`, `api`, `external`, `chat`, `webide`, `merge_request_event`, `external_pull_request_event`, `parent_pipeline`, [`trigger`, or `pipeline`](../triggers/index.md#configure-cicd-jobs-to-run-in-triggered-pipelines). For a description of each value, see [Common `if` clauses for `rules`](../jobs/job_control.md#common-if-clauses-for-rules), which uses this variable to control when jobs run. |
-| `CI_PIPELINE_TRIGGERED`                  | all    | all    | `true` if the job was [triggered](../triggers/index.md). |
-| `CI_PIPELINE_URL`                        | 11.1   | 0.5    | The URL for the pipeline details. |
-| `CI_PIPELINE_CREATED_AT`                 | 13.10  | all    | The UTC datetime when the pipeline was created, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. |
-| `CI_PIPELINE_NAME`                       | 16.3   | all    | The pipeline name defined in [`workflow:name`](../yaml/index.md#workflowname) |
-| `CI_PROJECT_DIR`                         | all    | all    | The full path the repository is cloned to, and where the job runs from. If the GitLab Runner `builds_dir` parameter is set, this variable is set relative to the value of `builds_dir`. For more information, see the [Advanced GitLab Runner configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
-| `CI_PROJECT_ID`                          | all    | all    | The ID of the current project. This ID is unique across all projects on the GitLab instance. |
-| `CI_PROJECT_NAME`                        | 8.10   | 0.5    | The name of the directory for the project. For example if the project URL is `gitlab.example.com/group-name/project-1`, `CI_PROJECT_NAME` is `project-1`. |
-| `CI_PROJECT_NAMESPACE`                   | 8.10   | 0.5    | The project namespace (username or group name) of the job. |
-| `CI_PROJECT_NAMESPACE_ID`                | 15.7   | 0.5    | The project namespace ID of the job. |
-| `CI_PROJECT_PATH_SLUG`                   | 9.3    | all    | `$CI_PROJECT_PATH` in lowercase with characters that are not `a-z` or `0-9` replaced with `-` and shortened to 63 bytes. Use in URLs and domain names. |
-| `CI_PROJECT_PATH`                        | 8.10   | 0.5    | The project namespace with the project name included. |
-| `CI_PROJECT_REPOSITORY_LANGUAGES`        | 12.3   | all    | A comma-separated, lowercase list of the languages used in the repository. For example `ruby,javascript,html,css`. The maximum number of languages is limited to 5. An issue [proposes to increase the limit](https://gitlab.com/gitlab-org/gitlab/-/issues/368925). |
-| `CI_PROJECT_ROOT_NAMESPACE`              | 13.2   | 0.5    | The root project namespace (username or group name) of the job. For example, if `CI_PROJECT_NAMESPACE` is `root-group/child-group/grandchild-group`, `CI_PROJECT_ROOT_NAMESPACE` is `root-group`. |
-| `CI_PROJECT_TITLE`                       | 12.4   | all    | The human-readable project name as displayed in the GitLab web interface. |
-| `CI_PROJECT_DESCRIPTION`                 | 15.1   | all    | The project description as displayed in the GitLab web interface. |
-| `CI_PROJECT_URL`                         | 8.10   | 0.5    | The HTTP(S) address of the project. |
-| `CI_PROJECT_VISIBILITY`                  | 10.3   | all    | The project visibility. Can be `internal`, `private`, or `public`. |
-| `CI_PROJECT_CLASSIFICATION_LABEL`        | 14.2   | all    | The project [external authorization classification label](../../administration/settings/external_authorization.md). |
-| `CI_REGISTRY`                            | 8.10   | 0.5    | Address of the [container registry](../../user/packages/container_registry/index.md) server, formatted as `<host>[:<port>]`. For example: `registry.gitlab.example.com`. Only available if the container registry is enabled for the GitLab instance. |
-| `CI_REGISTRY_IMAGE`                      | 8.10   | 0.5    | Base address for the container registry to push, pull, or tag project's images, formatted as `<host>[:<port>]/<project_full_path>`. For example: `registry.gitlab.example.com/my_group/my_project`. Image names must follow the [container registry naming convention](../../user/packages/container_registry/index.md#naming-convention-for-your-container-images). Only available if the container registry is enabled for the project. |
-| `CI_REGISTRY_PASSWORD`                   | 9.0    | all    | The password to push containers to the GitLab project's container registry. Only available if the container registry is enabled for the project. This password value is the same as the `CI_JOB_TOKEN` and is valid only as long as the job is running. Use the `CI_DEPLOY_PASSWORD` for long-lived access to the registry |
-| `CI_REGISTRY_USER`                       | 9.0    | all    | The username to push containers to the project's GitLab container registry. Only available if the container registry is enabled for the project. |
-| `CI_REPOSITORY_URL`                      | 9.0    | all    | The full path to Git clone (HTTP) the repository with a [CI/CD job token](../jobs/ci_job_token.md), in the format `https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/my-group/my-project.git`. |
-| `CI_RUNNER_DESCRIPTION`                  | 8.10   | 0.5    | The description of the runner. |
-| `CI_RUNNER_EXECUTABLE_ARCH`              | all    | 10.6   | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
-| `CI_RUNNER_ID`                           | 8.10   | 0.5    | The unique ID of the runner being used. |
-| `CI_RUNNER_REVISION`                     | all    | 10.6   | The revision of the runner running the job. |
-| `CI_RUNNER_SHORT_TOKEN`                  | all    | 12.3   | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
-| `CI_RUNNER_TAGS`                         | 8.10   | 0.5    | A comma-separated list of the runner tags. |
-| `CI_RUNNER_VERSION`                      | all    | 10.6   | The version of the GitLab Runner running the job. |
-| `CI_SERVER_HOST`                         | 12.1   | all    | The host of the GitLab instance URL, without protocol or port. For example `gitlab.example.com`. |
-| `CI_SERVER_NAME`                         | all    | all    | The name of CI/CD server that coordinates jobs. |
-| `CI_SERVER_PORT`                         | 12.8   | all    | The port of the GitLab instance URL, without host or protocol. For example `8080`. |
-| `CI_SERVER_PROTOCOL`                     | 12.8   | all    | The protocol of the GitLab instance URL, without host or port. For example `https`. |
-| `CI_SERVER_SHELL_SSH_HOST`               | 15.11  | all    | The SSH host of the GitLab instance, used for access to Git repositories via SSH. For example `gitlab.com`. |
-| `CI_SERVER_SHELL_SSH_PORT`               | 15.11  | all    | The SSH port of the GitLab instance, used for access to Git repositories via SSH. For example `22`. |
-| `CI_SERVER_REVISION`                     | all    | all    | GitLab revision that schedules jobs. |
-| `CI_SERVER_TLS_CA_FILE`                  | all    | all    | File containing the TLS CA certificate to verify the GitLab server when `tls-ca-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
-| `CI_SERVER_TLS_CERT_FILE`                | all    | all    | File containing the TLS certificate to verify the GitLab server when `tls-cert-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
-| `CI_SERVER_TLS_KEY_FILE`                 | all    | all    | File containing the TLS key to verify the GitLab server when `tls-key-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
-| `CI_SERVER_URL`                          | 12.7   | all    | The base URL of the GitLab instance, including protocol and port. For example `https://gitlab.example.com:8080`. |
-| `CI_SERVER_VERSION_MAJOR`                | 11.4   | all    | The major version of the GitLab instance. For example, if the GitLab version is `13.6.1`, the `CI_SERVER_VERSION_MAJOR` is `13`. |
-| `CI_SERVER_VERSION_MINOR`                | 11.4   | all    | The minor version of the GitLab instance. For example, if the GitLab version is `13.6.1`, the `CI_SERVER_VERSION_MINOR` is `6`. |
-| `CI_SERVER_VERSION_PATCH`                | 11.4   | all    | The patch version of the GitLab instance. For example, if the GitLab version is `13.6.1`, the `CI_SERVER_VERSION_PATCH` is `1`. |
-| `CI_SERVER_VERSION`                      | all    | all    | The full version of the GitLab instance. |
-| `CI_SERVER`                              | all    | all    | Available for all jobs executed in CI/CD. `yes` when available. |
-| `CI_SHARED_ENVIRONMENT`                  | all    | 10.1   | Only available if the job is executed in a shared environment (something that is persisted across CI/CD invocations, like the `shell` or `ssh` executor). `true` when available. |
-| `CI_TEMPLATE_REGISTRY_HOST`              | 15.3   | all    | The host of the registry used by CI/CD templates. Defaults to `registry.gitlab.com`. |
-| `GITLAB_CI`                              | all    | all    | Available for all jobs executed in CI/CD. `true` when available. |
-| `GITLAB_FEATURES`                        | 10.6   | all    | The comma-separated list of licensed features available for the GitLab instance and license. |
-| `GITLAB_USER_EMAIL`                      | 8.12   | all    | The email of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the email of the user who started the job. |
-| `GITLAB_USER_ID`                         | 8.12   | all    | The numeric ID of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the ID of the user who started the job. |
-| `GITLAB_USER_LOGIN`                      | 10.0   | all    | The username of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the username of the user who started the job. |
-| `GITLAB_USER_NAME`                       | 10.0   | all    | The display name of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the name of the user who started the job. |
-| `KUBECONFIG`                             | 14.2   | all    | The path to the `kubeconfig` file with contexts for every shared agent connection. Only available when a [GitLab agent is authorized to access the project](../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent). |
-| `TRIGGER_PAYLOAD`                        | 13.9   | all    | The webhook payload. Only available when a pipeline is [triggered with a webhook](../triggers/index.md#access-webhook-payload). |
+| Variable                          | Defined for | GitLab | Runner | Description |
+|-----------------------------------|-------------|--------|--------|-------------|
+| `CHAT_CHANNEL`                    | Pipeline    | 10.6   | all    | The Source chat channel that triggered the [ChatOps](../chatops/index.md) command. |
+| `CHAT_INPUT`                      | Pipeline    | 10.6   | all    | The additional arguments passed with the [ChatOps](../chatops/index.md) command. |
+| `CHAT_USER_ID`                    | Pipeline    | 14.4   | all    | The chat service's user ID of the user who triggered the [ChatOps](../chatops/index.md) command. |
+| `CI`                              | Pipeline    | all    | 0.4    | Available for all jobs executed in CI/CD. `true` when available. |
+| `CI_API_V4_URL`                   | Pipeline    | 11.7   | all    | The GitLab API v4 root URL. |
+| `CI_API_GRAPHQL_URL`              | Pipeline    | 15.11  | all    | The GitLab API GraphQL root URL. |
+| `CI_BUILDS_DIR`                   | Jobs only   | all    | 11.10  | The top-level directory where builds are executed. |
+| `CI_COMMIT_AUTHOR`                | Pipeline    | 13.11  | all    | The author of the commit in `Name <email>` format. |
+| `CI_COMMIT_BEFORE_SHA`            | Pipeline    | 11.2   | all    | The previous latest commit present on a branch or tag. Is always `0000000000000000000000000000000000000000` for merge request pipelines, the first commit in pipelines for branches or tags, or when manually running a pipeline. |
+| `CI_COMMIT_BRANCH`                | Pipeline    | 12.6   | 0.5    | The commit branch name. Available in branch pipelines, including pipelines for the default branch. Not available in merge request pipelines or tag pipelines. |
+| `CI_COMMIT_DESCRIPTION`           | Pipeline    | 10.8   | all    | The description of the commit. If the title is shorter than 100 characters, the message without the first line. |
+| `CI_COMMIT_MESSAGE`               | Pipeline    | 10.8   | all    | The full commit message. |
+| `CI_COMMIT_REF_NAME`              | Pipeline    | 9.0    | all    | The branch or tag name for which project is built. |
+| `CI_COMMIT_REF_PROTECTED`         | Pipeline    | 11.11  | all    | `true` if the job is running for a protected reference, `false` otherwise. |
+| `CI_COMMIT_REF_SLUG`              | Pipeline    | 9.0    | all    | `CI_COMMIT_REF_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in URLs, host names and domain names. |
+| `CI_COMMIT_SHA`                   | Pipeline    | 9.0    | all    | The commit revision the project is built for. |
+| `CI_COMMIT_SHORT_SHA`             | Pipeline    | 11.7   | all    | The first eight characters of `CI_COMMIT_SHA`. |
+| `CI_COMMIT_TAG`                   | Pipeline    | 9.0    | 0.5    | The commit tag name. Available only in pipelines for tags. |
+| `CI_COMMIT_TAG_MESSAGE`           | Pipeline    | 15.5   | all    | The commit tag message. Available only in pipelines for tags. |
+| `CI_COMMIT_TIMESTAMP`             | Pipeline    | 13.4   | all    | The timestamp of the commit in the [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. |
+| `CI_COMMIT_TITLE`                 | Pipeline    | 10.8   | all    | The title of the commit. The full first line of the message. |
+| `CI_CONCURRENT_ID`                | Jobs only   | all    | 11.10  | The unique ID of build execution in a single executor. |
+| `CI_CONCURRENT_PROJECT_ID`        | Jobs only   | all    | 11.10  | The unique ID of build execution in a single executor and project. |
+| `CI_CONFIG_PATH`                  | Pipeline    | 9.4    | 0.5    | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`. Read-only inside a running pipeline. |
+| `CI_DEBUG_TRACE`                  | Pipeline    | all    | 1.7    | `true` if [debug logging (tracing)](index.md#enable-debug-logging) is enabled. |
+| `CI_DEBUG_SERVICES`               | Pipeline    | 15.7   | 15.7   | `true` if [service container logging](../services/index.md#capturing-service-container-logs) is enabled. |
+| `CI_DEFAULT_BRANCH`               | Pipeline    | 12.4   | all    | The name of the project's default branch. |
+| `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX`| Pipeline | 14.3 | all  | The direct group image prefix for pulling images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`       | Pipeline | 13.7 | all  | The top-level group image prefix for pulling images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_PASSWORD`    | Pipeline    | 13.7   | all    | The password to pull images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_SERVER`      | Pipeline    | 13.7   | all    | The server for logging in to the Dependency Proxy. This is equivalent to `$CI_SERVER_HOST:$CI_SERVER_PORT`. |
+| `CI_DEPENDENCY_PROXY_USER`        | Pipeline    | 13.7   | all    | The username to pull images through the Dependency Proxy. |
+| `CI_DEPLOY_FREEZE`                | Pipeline    | 13.2   | all    | Only available if the pipeline runs during a [deploy freeze window](../../user/project/releases/index.md#prevent-unintentional-releases-by-setting-a-deploy-freeze). `true` when available. |
+| `CI_DEPLOY_PASSWORD`              | Jobs only   | 10.8   | all    | The authentication password of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), if the project has one. |
+| `CI_DEPLOY_USER`                  | Jobs only   | 10.8   | all    | The authentication username of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), if the project has one. |
+| `CI_DISPOSABLE_ENVIRONMENT`       | Pipeline    | all    | 10.1   | Only available if the job is executed in a disposable environment (something that is created only for this job and disposed of/destroyed after the execution - all executors except `shell` and `ssh`). `true` when available. |
+| `CI_ENVIRONMENT_NAME`             | Pipeline    | 8.15   | all    | The name of the environment for this job. Available if [`environment:name`](../yaml/index.md#environmentname) is set. |
+| `CI_ENVIRONMENT_SLUG`             | Pipeline    | 8.15   | all    | The simplified version of the environment name, suitable for inclusion in DNS, URLs, Kubernetes labels, and so on. Available if [`environment:name`](../yaml/index.md#environmentname) is set. The slug is [truncated to 24 characters](https://gitlab.com/gitlab-org/gitlab/-/issues/20941). A random suffix is automatically added to [uppercase environment names](https://gitlab.com/gitlab-org/gitlab/-/issues/415526). |
+| `CI_ENVIRONMENT_URL`              | Pipeline    | 9.3    | all    | The URL of the environment for this job. Available if [`environment:url`](../yaml/index.md#environmenturl) is set. |
+| `CI_ENVIRONMENT_ACTION`           | Pipeline    | 13.11  | all    | The action annotation specified for this job's environment. Available if [`environment:action`](../yaml/index.md#environmentaction) is set. Can be `start`, `prepare`, or `stop`. |
+| `CI_ENVIRONMENT_TIER`             | Pipeline    | 14.0   | all    | The [deployment tier of the environment](../environments/index.md#deployment-tier-of-environments) for this job. |
+| `CI_RELEASE_DESCRIPTION`          | Pipeline    | 15.5   | all    | The description of the release. Available only on pipelines for tags. Description length is limited to first 1024 characters. |
+| `CI_GITLAB_FIPS_MODE`             | Pipeline    | 14.10  | all    | Only available if [FIPS mode](../../development/fips_compliance.md) is enabled in the GitLab instance. `true` when available. |
+| `CI_HAS_OPEN_REQUIREMENTS`        | Pipeline    | 13.1   | all    | Only available if the pipeline's project has an open [requirement](../../user/project/requirements/index.md). `true` when available. |
+| `CI_JOB_ID`                       | Jobs only   | 9.0    | all    | The internal ID of the job, unique across all jobs in the GitLab instance. |
+| `CI_JOB_IMAGE`                    | Pipeline    | 12.9   | 12.9   | The name of the Docker image running the job. |
+| `CI_JOB_JWT` (Deprecated)         | Pipeline    | 12.10  | all    | A RS256 JSON web token to authenticate with third party systems that support JWT authentication, for example [HashiCorp's Vault](../secrets/index.md). [Deprecated in GitLab 15.9](../../update/deprecations.md#old-versions-of-json-web-tokens-are-deprecated) and scheduled to be removed in GitLab 17.0. Use [ID tokens](../yaml/index.md#id_tokens) instead. |
+| `CI_JOB_JWT_V1` (Deprecated)      | Pipeline    | 14.6   | all    | The same value as `CI_JOB_JWT`. [Deprecated in GitLab 15.9](../../update/deprecations.md#old-versions-of-json-web-tokens-are-deprecated) and scheduled to be removed in GitLab 17.0. Use [ID tokens](../yaml/index.md#id_tokens) instead. |
+| `CI_JOB_JWT_V2` (Deprecated)      | Pipeline    | 14.6   | all    | A newly formatted RS256 JSON web token to increase compatibility. Similar to `CI_JOB_JWT`, except the issuer (`iss`) claim is changed from `gitlab.com` to `https://gitlab.com`, `sub` has changed from `job_id` to a string that contains the project path, and an `aud` claim is added. The `aud` field is a constant value. Trusting JWTs in multiple relying parties can lead to [one RP sending a JWT to another one and acting maliciously as a job](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72555#note_769112331). [Deprecated in GitLab 15.9](../../update/deprecations.md#old-versions-of-json-web-tokens-are-deprecated) and scheduled to be removed in GitLab 17.0. Use [ID tokens](../yaml/index.md#id_tokens) instead. |
+| `CI_JOB_MANUAL`                   | Pipeline    | 8.12   | all    | Only available if the job was started manually. `true` when available. |
+| `CI_JOB_NAME`                     | Pipeline    | 9.0    | 0.5    | The name of the job. |
+| `CI_JOB_NAME_SLUG`                | Pipeline    | 15.4   | all    | `CI_JOB_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in paths. |
+| `CI_JOB_STAGE`                    | Pipeline    | 9.0    | 0.5    | The name of the job's stage. |
+| `CI_JOB_STATUS`                   | Jobs only   | all    | 13.5   | The status of the job as each runner stage is executed. Use with [`after_script`](../yaml/index.md#after_script). Can be `success`, `failed`, or `canceled`. |
+| `CI_JOB_TIMEOUT`                  | Jobs only   | 15.7   | 15.7   | The job timeout, in seconds. |
+| `CI_JOB_TOKEN`                    | Jobs only   | 9.0    | 1.2    | A token to authenticate with [certain API endpoints](../jobs/ci_job_token.md). The token is valid as long as the job is running. |
+| `CI_JOB_URL`                      | Jobs only   | 11.1   | 0.5    | The job details URL. |
+| `CI_JOB_STARTED_AT`               | Jobs only   | 13.10  | all    | The UTC datetime when a job started, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. |
+| `CI_KUBERNETES_ACTIVE`            | Pipeline    | 13.0   | all    | Only available if the pipeline has a Kubernetes cluster available for deployments. `true` when available. |
+| `CI_NODE_INDEX`                   | Pipeline    | 11.5   | all    | The index of the job in the job set. Only available if the job uses [`parallel`](../yaml/index.md#parallel). |
+| `CI_NODE_TOTAL`                   | Pipeline    | 11.5   | all    | The total number of instances of this job running in parallel. Set to `1` if the job does not use [`parallel`](../yaml/index.md#parallel). |
+| `CI_OPEN_MERGE_REQUESTS`          | Pipeline    | 13.8   | all    | A comma-separated list of up to four merge requests that use the current branch and project as the merge request source. Only available in branch and merge request pipelines if the branch has an associated merge request. For example, `gitlab-org/gitlab!333,gitlab-org/gitlab-foss!11`. |
+| `CI_PAGES_DOMAIN`                 | Pipeline    | 11.8   | all    | The configured domain that hosts GitLab Pages. |
+| `CI_PAGES_URL`                    | Pipeline    | 11.8   | all    | The URL for a GitLab Pages site. Always a subdomain of `CI_PAGES_DOMAIN`. |
+| `CI_PIPELINE_ID`                  | Jobs only   | 8.10   | all    | The instance-level ID of the current pipeline. This ID is unique across all projects on the GitLab instance. |
+| `CI_PIPELINE_IID`                 | Pipeline    | 11.0   | all    | The project-level IID (internal ID) of the current pipeline. This ID is unique only within the current project. |
+| `CI_PIPELINE_SOURCE`              | Pipeline    | 10.0   | all    | How the pipeline was triggered. Can be `push`, `web`, `schedule`, `api`, `external`, `chat`, `webide`, `merge_request_event`, `external_pull_request_event`, `parent_pipeline`, [`trigger`, or `pipeline`](../triggers/index.md#configure-cicd-jobs-to-run-in-triggered-pipelines). For a description of each value, see [Common `if` clauses for `rules`](../jobs/job_control.md#common-if-clauses-for-rules), which uses this variable to control when jobs run. |
+| `CI_PIPELINE_TRIGGERED`           | Pipeline    | all    | all    | `true` if the job was [triggered](../triggers/index.md). |
+| `CI_PIPELINE_URL`                 | Jobs only   | 11.1   | 0.5    | The URL for the pipeline details. |
+| `CI_PIPELINE_CREATED_AT`          | Pipeline    | 13.10  | all    | The UTC datetime when the pipeline was created, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. |
+| `CI_PIPELINE_NAME`                | Pipeline    | 16.3   | all    | The pipeline name defined in [`workflow:name`](../yaml/index.md#workflowname) |
+| `CI_PROJECT_DIR`                  | Jobs only   | all    | all    | The full path the repository is cloned to, and where the job runs from. If the GitLab Runner `builds_dir` parameter is set, this variable is set relative to the value of `builds_dir`. For more information, see the [Advanced GitLab Runner configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_PROJECT_ID`                   | Pipeline    | all    | all    | The ID of the current project. This ID is unique across all projects on the GitLab instance. |
+| `CI_PROJECT_NAME`                 | Pipeline    | 8.10   | 0.5    | The name of the directory for the project. For example if the project URL is `gitlab.example.com/group-name/project-1`, `CI_PROJECT_NAME` is `project-1`. |
+| `CI_PROJECT_NAMESPACE`            | Pipeline    | 8.10   | 0.5    | The project namespace (username or group name) of the job. |
+| `CI_PROJECT_NAMESPACE_ID`         | Pipeline    | 15.7   | 0.5    | The project namespace ID of the job. |
+| `CI_PROJECT_PATH_SLUG`            | Pipeline    | 9.3    | all    | `$CI_PROJECT_PATH` in lowercase with characters that are not `a-z` or `0-9` replaced with `-` and shortened to 63 bytes. Use in URLs and domain names. |
+| `CI_PROJECT_PATH`                 | Pipeline    | 8.10   | 0.5    | The project namespace with the project name included. |
+| `CI_PROJECT_REPOSITORY_LANGUAGES` | Pipeline    | 12.3   | all    | A comma-separated, lowercase list of the languages used in the repository. For example `ruby,javascript,html,css`. The maximum number of languages is limited to 5. An issue [proposes to increase the limit](https://gitlab.com/gitlab-org/gitlab/-/issues/368925). |
+| `CI_PROJECT_ROOT_NAMESPACE`       | Pipeline    | 13.2   | 0.5    | The root project namespace (username or group name) of the job. For example, if `CI_PROJECT_NAMESPACE` is `root-group/child-group/grandchild-group`, `CI_PROJECT_ROOT_NAMESPACE` is `root-group`. |
+| `CI_PROJECT_TITLE`                | Pipeline    | 12.4   | all    | The human-readable project name as displayed in the GitLab web interface. |
+| `CI_PROJECT_DESCRIPTION`          | Pipeline    | 15.1   | all    | The project description as displayed in the GitLab web interface. |
+| `CI_PROJECT_URL`                  | Pipeline    | 8.10   | 0.5    | The HTTP(S) address of the project. |
+| `CI_PROJECT_VISIBILITY`           | Pipeline    | 10.3   | all    | The project visibility. Can be `internal`, `private`, or `public`. |
+| `CI_PROJECT_CLASSIFICATION_LABEL` | Pipeline    | 14.2   | all    | The project [external authorization classification label](../../administration/settings/external_authorization.md). |
+| `CI_REGISTRY`                     | Pipeline    | 8.10   | 0.5    | Address of the [container registry](../../user/packages/container_registry/index.md) server, formatted as `<host>[:<port>]`. For example: `registry.gitlab.example.com`. Only available if the container registry is enabled for the GitLab instance. |
+| `CI_REGISTRY_IMAGE`               | Pipeline    | 8.10   | 0.5    | Base address for the container registry to push, pull, or tag project's images, formatted as `<host>[:<port>]/<project_full_path>`. For example: `registry.gitlab.example.com/my_group/my_project`. Image names must follow the [container registry naming convention](../../user/packages/container_registry/index.md#naming-convention-for-your-container-images). Only available if the container registry is enabled for the project. |
+| `CI_REGISTRY_PASSWORD`            | Jobs only   | 9.0    | all    | The password to push containers to the GitLab project's container registry. Only available if the container registry is enabled for the project. This password value is the same as the `CI_JOB_TOKEN` and is valid only as long as the job is running. Use the `CI_DEPLOY_PASSWORD` for long-lived access to the registry |
+| `CI_REGISTRY_USER`                | Jobs only   | 9.0    | all    | The username to push containers to the project's GitLab container registry. Only available if the container registry is enabled for the project. |
+| `CI_REPOSITORY_URL`               | Jobs only   | 9.0    | all    | The full path to Git clone (HTTP) the repository with a [CI/CD job token](../jobs/ci_job_token.md), in the format `https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/my-group/my-project.git`. |
+| `CI_RUNNER_DESCRIPTION`           | Jobs only   | 8.10   | 0.5    | The description of the runner. |
+| `CI_RUNNER_EXECUTABLE_ARCH`       | Jobs only   | all    | 10.6   | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
+| `CI_RUNNER_ID`                    | Jobs only   | 8.10   | 0.5    | The unique ID of the runner being used. |
+| `CI_RUNNER_REVISION`              | Jobs only   | all    | 10.6   | The revision of the runner running the job. |
+| `CI_RUNNER_SHORT_TOKEN`           | Jobs only   | all    | 12.3   | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
+| `CI_RUNNER_TAGS`                  | Jobs only   | 8.10   | 0.5    | A comma-separated list of the runner tags. |
+| `CI_RUNNER_VERSION`               | Jobs only   | all    | 10.6   | The version of the GitLab Runner running the job. |
+| `CI_SERVER_HOST`                  | Pipeline    | 12.1   | all    | The host of the GitLab instance URL, without protocol or port. For example `gitlab.example.com`. |
+| `CI_SERVER_NAME`                  | Pipeline    | all    | all    | The name of CI/CD server that coordinates jobs. |
+| `CI_SERVER_PORT`                  | Pipeline    | 12.8   | all    | The port of the GitLab instance URL, without host or protocol. For example `8080`. |
+| `CI_SERVER_PROTOCOL`              | Pipeline    | 12.8   | all    | The protocol of the GitLab instance URL, without host or port. For example `https`. |
+| `CI_SERVER_SHELL_SSH_HOST`        | Pipeline    | 15.11  | all    | The SSH host of the GitLab instance, used for access to Git repositories via SSH. For example `gitlab.com`. |
+| `CI_SERVER_SHELL_SSH_PORT`        | Pipeline    | 15.11  | all    | The SSH port of the GitLab instance, used for access to Git repositories via SSH. For example `22`. |
+| `CI_SERVER_REVISION`              | Pipeline    | all    | all    | GitLab revision that schedules jobs. |
+| `CI_SERVER_TLS_CA_FILE`           | Pipeline    | all    | all    | File containing the TLS CA certificate to verify the GitLab server when `tls-ca-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_SERVER_TLS_CERT_FILE`         | Pipeline    | all    | all    | File containing the TLS certificate to verify the GitLab server when `tls-cert-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_SERVER_TLS_KEY_FILE`          | Pipeline    | all    | all    | File containing the TLS key to verify the GitLab server when `tls-key-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_SERVER_URL`                   | Pipeline    | 12.7   | all    | The base URL of the GitLab instance, including protocol and port. For example `https://gitlab.example.com:8080`. |
+| `CI_SERVER_VERSION_MAJOR`         | Pipeline    | 11.4   | all    | The major version of the GitLab instance. For example, if the GitLab version is `13.6.1`, the `CI_SERVER_VERSION_MAJOR` is `13`. |
+| `CI_SERVER_VERSION_MINOR`         | Pipeline    | 11.4   | all    | The minor version of the GitLab instance. For example, if the GitLab version is `13.6.1`, the `CI_SERVER_VERSION_MINOR` is `6`. |
+| `CI_SERVER_VERSION_PATCH`         | Pipeline    | 11.4   | all    | The patch version of the GitLab instance. For example, if the GitLab version is `13.6.1`, the `CI_SERVER_VERSION_PATCH` is `1`. |
+| `CI_SERVER_VERSION`               | Pipeline    | all    | all    | The full version of the GitLab instance. |
+| `CI_SERVER`                       | Jobs only   | all    | all    | Available for all jobs executed in CI/CD. `yes` when available. |
+| `CI_SHARED_ENVIRONMENT`           | Pipeline    | all    | 10.1   | Only available if the job is executed in a shared environment (something that is persisted across CI/CD invocations, like the `shell` or `ssh` executor). `true` when available. |
+| `CI_TEMPLATE_REGISTRY_HOST`       | Pipeline    | 15.3   | all    | The host of the registry used by CI/CD templates. Defaults to `registry.gitlab.com`. |
+| `GITLAB_CI`                       | Pipeline    | all    | all    | Available for all jobs executed in CI/CD. `true` when available. |
+| `GITLAB_FEATURES`                 | Pipeline    | 10.6   | all    | The comma-separated list of licensed features available for the GitLab instance and license. |
+| `GITLAB_USER_EMAIL`               | Pipeline    | 8.12   | all    | The email of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the email of the user who started the job. |
+| `GITLAB_USER_ID`                  | Pipeline    | 8.12   | all    | The numeric ID of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the ID of the user who started the job. |
+| `GITLAB_USER_LOGIN`               | Pipeline    | 10.0   | all    | The username of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the username of the user who started the job. |
+| `GITLAB_USER_NAME`                | Pipeline    | 10.0   | all    | The display name of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the name of the user who started the job. |
+| `KUBECONFIG`                      | Pipeline    | 14.2   | all    | The path to the `kubeconfig` file with contexts for every shared agent connection. Only available when a [GitLab agent is authorized to access the project](../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent). |
+| `TRIGGER_PAYLOAD`                 | Pipeline    | 13.9   | all    | The webhook payload. Only available when a pipeline is [triggered with a webhook](../triggers/index.md#access-webhook-payload). |
 
 ## Predefined variables for merge request pipelines
 
@@ -157,6 +162,9 @@ These variables are available when:
 |---------------------------------------------|--------|--------|-------------|
 | `CI_MERGE_REQUEST_APPROVED`                 | 14.1   | all    | Approval status of the merge request. `true` when [merge request approvals](../../user/project/merge_requests/approvals/index.md) is available and the merge request has been approved. |
 | `CI_MERGE_REQUEST_ASSIGNEES`                | 11.9   | all    | Comma-separated list of usernames of assignees for the merge request. |
+| `CI_MERGE_REQUEST_DIFF_BASE_SHA`            | 13.7   | all    | The base SHA of the merge request diff. |
+| `CI_MERGE_REQUEST_DIFF_ID`                  | 13.7   | all    | The version of the merge request diff. |
+| `CI_MERGE_REQUEST_EVENT_TYPE`               | 12.3   | all    | The event type of the merge request. Can be `detached`, `merged_result` or `merge_train`. |
 | `CI_MERGE_REQUEST_ID`                       | 11.6   | all    | The instance-level ID of the merge request. This is a unique ID across all projects on the GitLab instance. |
 | `CI_MERGE_REQUEST_DESCRIPTION`              | 16.7   | all    | The description of the merge request. |
 | `CI_MERGE_REQUEST_IID`                      | 11.6   | all    | The project-level IID (internal ID) of the merge request. This ID is unique for the current project, and is the number used in the merge request URL, page title, and other visible locations. |
@@ -166,20 +174,17 @@ These variables are available when:
 | `CI_MERGE_REQUEST_PROJECT_PATH`             | 11.6   | all    | The path of the project of the merge request. For example `namespace/awesome-project`. |
 | `CI_MERGE_REQUEST_PROJECT_URL`              | 11.6   | all    | The URL of the project of the merge request. For example, `http://192.168.10.15:3000/namespace/awesome-project`. |
 | `CI_MERGE_REQUEST_REF_PATH`                 | 11.6   | all    | The ref path of the merge request. For example, `refs/merge-requests/1/head`. |
-| `CI_MERGE_REQUEST_SQUASH_ON_MERGE`          | 16.4   | all    | `true` when the [squash on merge](../../user/project/merge_requests/squash_and_merge.md) option is set. |
 | `CI_MERGE_REQUEST_SOURCE_BRANCH_NAME`       | 11.6   | all    | The source branch name of the merge request. |
 | `CI_MERGE_REQUEST_SOURCE_BRANCH_PROTECTED`  | 16.4   | all    | `true` when the source branch of the merge request is [protected](../../user/project/protected_branches.md). |
 | `CI_MERGE_REQUEST_SOURCE_BRANCH_SHA`        | 11.9   | all    | The HEAD SHA of the source branch of the merge request. The variable is empty in merge request pipelines. The SHA is present only in [merged results pipelines](../pipelines/merged_results_pipelines.md). |
 | `CI_MERGE_REQUEST_SOURCE_PROJECT_ID`        | 11.6   | all    | The ID of the source project of the merge request. |
 | `CI_MERGE_REQUEST_SOURCE_PROJECT_PATH`      | 11.6   | all    | The path of the source project of the merge request. |
 | `CI_MERGE_REQUEST_SOURCE_PROJECT_URL`       | 11.6   | all    | The URL of the source project of the merge request. |
+| `CI_MERGE_REQUEST_SQUASH_ON_MERGE`          | 16.4   | all    | `true` when the [squash on merge](../../user/project/merge_requests/squash_and_merge.md) option is set. |
 | `CI_MERGE_REQUEST_TARGET_BRANCH_NAME`       | 11.6   | all    | The target branch name of the merge request. |
 | `CI_MERGE_REQUEST_TARGET_BRANCH_PROTECTED`  | 15.2   | all    | `true` when the target branch of the merge request is [protected](../../user/project/protected_branches.md). |
 | `CI_MERGE_REQUEST_TARGET_BRANCH_SHA`        | 11.9   | all    | The HEAD SHA of the target branch of the merge request. The variable is empty in merge request pipelines. The SHA is present only in [merged results pipelines](../pipelines/merged_results_pipelines.md). |
 | `CI_MERGE_REQUEST_TITLE`                    | 11.9   | all    | The title of the merge request. |
-| `CI_MERGE_REQUEST_EVENT_TYPE`               | 12.3   | all    | The event type of the merge request. Can be `detached`, `merged_result` or `merge_train`. |
-| `CI_MERGE_REQUEST_DIFF_ID`                  | 13.7   | all    | The version of the merge request diff. |
-| `CI_MERGE_REQUEST_DIFF_BASE_SHA`            | 13.7   | all    | The base SHA of the merge request diff. |
 
 ## Predefined variables for external pull request pipelines
 
@@ -209,3 +214,8 @@ defines deployment variables that you can use with the integration.
 
 The [documentation for each integration](../../user/project/integrations/index.md)
 explains if the integration has any deployment variables available.
+
+## Troubleshooting
+
+You can [output the values of all variables available for a job](index.md#list-all-variables)
+with a `script` command.
diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md
index d25f9801f5b..dc2ea3adfdd 100644
--- a/doc/ci/variables/where_variables_can_be_used.md
+++ b/doc/ci/variables/where_variables_can_be_used.md
@@ -149,15 +149,15 @@ Pipeline-level persisted variables:
 
 Job-level persisted variables:
 
+- `CI_DEPLOY_PASSWORD`
+- `CI_DEPLOY_USER`
 - `CI_JOB_ID`
-- `CI_JOB_URL`
-- `CI_JOB_TOKEN`
 - `CI_JOB_STARTED_AT`
-- `CI_REGISTRY_USER`
+- `CI_JOB_TOKEN`
+- `CI_JOB_URL`
 - `CI_REGISTRY_PASSWORD`
+- `CI_REGISTRY_USER`
 - `CI_REPOSITORY_URL`
-- `CI_DEPLOY_USER`
-- `CI_DEPLOY_PASSWORD`
 
 Persisted variables are:
 
diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md
index dc1b33feab0..5e3cd97c78b 100644
--- a/doc/ci/yaml/index.md
+++ b/doc/ci/yaml/index.md
@@ -452,6 +452,9 @@ start. Jobs in the current stage are not stopped and continue to run.
 
 Use [`workflow`](workflow.md) to control pipeline behavior.
 
+You can use some [predefined CI/CD variables](../variables/predefined_variables.md) in
+`workflow` configuration, but not variables that are only defined when jobs start.
+
 **Related topics**:
 
 - [`workflow: rules` examples](workflow.md#workflow-rules-examples)
diff --git a/doc/development/database/loose_foreign_keys.md b/doc/development/database/loose_foreign_keys.md
index 03469f64d4b..3003ee970ce 100644
--- a/doc/development/database/loose_foreign_keys.md
+++ b/doc/development/database/loose_foreign_keys.md
@@ -119,9 +119,9 @@ To match foreign key (FK), write one or many filters to match against FROM/TO/CO
 - scripts/decomposition/generate-loose-foreign-key dast_site_profiles_pipelines
 ```
 
-The command accepts a list of filters to match from, to, or column for the purpose of the foreign key generation.
-For example, run this to swap all foreign keys for `ci_job_token_project_scope_links` for the
-decomposed database:
+The command accepts a list of regular expressions to match from, to, or column
+for the purpose of the foreign key generation. For example, run this to swap
+all foreign keys for `ci_job_token_project_scope_links` for the decomposed database:
 
 ```shell
 scripts/decomposition/generate-loose-foreign-key -c ci_job_token_project_scope_links
@@ -133,6 +133,15 @@ To swap only the `source_project_id` of `ci_job_token_project_scope_links` for t
 scripts/decomposition/generate-loose-foreign-key -c ci_job_token_project_scope_links source_project_id
 ```
 
+To match the exact name of a table or columns, you can make use of the regular expressions
+position anchors `^` and `$`. For example, this command matches only the
+foreign keys on the `events` table only, but not on the table
+`incident_management_timeline_events`.
+
+```shell
+scripts/decomposition/generate-loose-foreign-key -n ^events$
+```
+
 To swap all the foreign keys (all having `_id` appended), but not create a new branch (only commit
 the changes) and not create RSpec tests, run:
 
diff --git a/doc/development/documentation/styleguide/word_list.md b/doc/development/documentation/styleguide/word_list.md
index 610328806bc..affe2bc0991 100644
--- a/doc/development/documentation/styleguide/word_list.md
+++ b/doc/development/documentation/styleguide/word_list.md
@@ -674,7 +674,7 @@ Learn more about [documenting multiple fields at once](index.md#documenting-mult
 
 ## file name
 
-Use two words for **file name**.
+Use two words for **file name**. When using file name as a variable, use `<file_name>`.
 
 ([Vale](../testing.md#vale) rule: [`SubstitutionWarning.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/SubstitutionWarning.yml))
 
diff --git a/doc/user/application_security/vulnerability_report/index.md b/doc/user/application_security/vulnerability_report/index.md
index 7493eb0e891..4ae8f239f9b 100644
--- a/doc/user/application_security/vulnerability_report/index.md
+++ b/doc/user/application_security/vulnerability_report/index.md
@@ -202,11 +202,11 @@ apply to the export.
 
 Fields included are:
 
+- Status (See the following table for details of how the status value is exported.)
 - Group name
 - Project name
 - Tool
 - Scanner name
-- Status
 - Vulnerability
 - Basic details
 - Additional information
@@ -227,6 +227,16 @@ Full details are available through our
 Use one of the `gl-*-report.json` report filenames in place of `*artifact_path`
 to obtain, for example, the path of files in which vulnerabilities were detected.
 
+The Status field's values shown in the vulnerability report are different to those contained
+in the vulnerability export. Use the following reference table to match them.
+
+| Vulnerability report | Vulnerability export |
+|:---------------------|:---------------------|
+| Needs triage         | detected             |
+| Dismissed            | dismissed            |
+| Resolved             | resolved             |
+| Confirmed            | confirmed            |
+
 ### Export details in CSV format
 
 To export details of all vulnerabilities listed in the Vulnerability Report, select **Export**.
diff --git a/doc/user/group/saml_sso/troubleshooting.md b/doc/user/group/saml_sso/troubleshooting.md
index 8fc0c48a78c..1e7de8143e9 100644
--- a/doc/user/group/saml_sso/troubleshooting.md
+++ b/doc/user/group/saml_sso/troubleshooting.md
@@ -366,10 +366,10 @@ This error appears when the SAML response does not contain the user's email addr
 </Attribute>
 ```
 
-Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` like in the following example are not supported. Remove this type of attribute name from the SAML response on the IDP side.
+Attribute names starting with phrases such as `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` and `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are supported.
 
 ```xml
-<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/email">
+<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress">
   <AttributeValue>user@domain.com‹/AttributeValue>
 </Attribute>
 ```
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index 4684cbd070b..7a616bc7ec9 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -143,9 +143,9 @@ Personal access tokens expire on the date you define, at midnight, 00:00 AM UTC.
   [maximum allowed lifetime for the token](../../administration/settings/account_and_limit_settings.md#limit-the-lifetime-of-access-tokens).
   If the maximum allowed lifetime is not set, the default expiry date is 365 days from the date of creation.
 
-### Service Accounts
+### Create a service account personal access token with no expiry date
 
-You can [create a personal access token for a service account](../../api/groups.md#create-personal-access-token-for-service-account-user) with no expiry date.
+You can [create a personal access token for a service account](../../api/groups.md#create-personal-access-token-for-service-account-user) with no expiry date. These personal access tokens never expire, unlike non-service account personal access tokens.
 
 NOTE:
 Allowing personal access tokens for service accounts to be created with no expiry date only affects tokens created after you change this setting. It does not affect existing tokens.