I have a CI pipeline in GitLab that triggers a child pipeline that then triggers another child pipeline. Variables that are set in the UI are available in the first child pipeline but not the second (grand)child pipeline. I have looked through the GitLab documentation on all this, I think this is configured correctly. I don’t see anything that should prevent these variables from being seen. All of this is in a single repository.

Project UI CI/CD variable:

URL = “https://www.thisismywebsite.com”

top-level .gitlab-ci.yml

.forward_vars:
  inherit:
    variables: true  
  trigger:
    forward:
      pipeline_variables: true
     
proj1:
  stage: assemble
  variables:
    PARENT_PIPELINE_ID: $CI_PIPELINE_ID
  extends:
    - .forward_vars
  interruptible: false    
  trigger:
    include: project1/.gitlab-ci.yml
    strategy: depend 
  rules:
    - if: "$CI_COMMIT_BRANCH" 
      changes: [project1/**/*]

project1/.gitlab-ci.yml

.forward_vars:
  variables:
    CACHE_NAME: $CACHE_NAME 
    CURRENT_VERSION: $VERSION 
  inherit:
    variables: true  
  trigger:
    forward:
      pipeline_variables: true

# This prints the URL properly
print-env-project1:
  stage: init
  script:
    - echo "URL=${URL}"

mod1:
  stage: assemble
  variables:
    PROJECT_NAME: module1
    WORKING_DIRECTORY: project1/module1
  extends:
    - .forward_vars    
  trigger:
    include: 
    - local: project1/module1/.gitlab-ci.yml
    strategy: depend    
  rules:
    - if: $CI_PIPELINE_SOURCE == "parent_pipeline" && ($CI_COMMIT_BRANCH || $CI_OPEN_MERGE_REQUESTS)
      changes: [project1/module1/**/*]

project1/module1/.gitlab-ci.yml

# This does not print the URL. It is empty.
print-env-module1:
  stage: init
  script:
    - echo "URL=${URL}"

When printed in the first child pipeline, the value of $URL shows properly. However, when printed in the second child pipeline, it is empty. Is this expected? I couldn’t find much about variables passed down twice like this, so perhaps this is performing as expected. Given that there are many UI variables that need to be passed along here and that some of those are keys/passwords, what is the recommended way to allow them to be used in this grandchild pipeline? This will be calling other templates that display the commands with those passwords in them, and they will likely be visible in the job output if they can no longer be masked after being passed down with something like dotenv.

Or, if there is no good solution, should we rethink the pipeline structure altogether and just do parent-child?