Secrets Management in CI/CD Pipelines: OIDC, Vault Integration, and Credential Hygiene

Cicd
Intermediate, Advanced
Secrets, Oidc, Vault, Credentials, Security, Github-Actions, Gitlab-Ci, Secret-Rotation, Workload-Identity
Vault, Github-Actions, Gitlab-Ci, Aws-Iam, Gcp-Workload-Identity

Secrets Management in CI/CD Pipelines#

Every CI/CD pipeline needs credentials: registry tokens, cloud provider keys, database passwords, API keys for third-party services. How you store, deliver, and scope those credentials determines whether a single compromised pipeline job can escalate into a full infrastructure breach. The difference between a mature and an immature pipeline is rarely in the build steps – it is in the secrets management.

The Problem with Static Secrets#

The default approach on every CI platform is storing secrets as encrypted variables: GitHub Actions secrets, GitLab CI variables, Jenkins credentials store. These work but create compounding risks:

Self-Hosted CI Runners at Scale: GitHub Actions Runner Controller, GitLab Runners on K8s, and Autoscaling

Calendar February 22, 2026
Cicd
Intermediate, Advanced
Ci-Infrastructure-Management, Kubernetes-Operations, Autoscaling-Configuration, Cost-Optimization
Self-Hosted-Runners, Github-Actions, Gitlab-Ci, Actions-Runner-Controller, Autoscaling, Kubernetes, Ci-Infrastructure, Runner-Security
Actions-Runner-Controller, Gitlab-Runner, Kubernetes, Helm, Docker

Self-Hosted CI Runners at Scale#

GitHub-hosted and GitLab SaaS runners work until they do not. You hit limits when you need private network access to deploy to internal infrastructure, specific hardware like GPUs or ARM64 machines, compliance requirements that prohibit running code on shared infrastructure, or cost control when you are burning thousands of dollars per month on hosted runner minutes.

Self-hosted runners solve these problems but introduce operational complexity: you now own runner provisioning, scaling, security, image updates, and cost management.

GitLab CI/CD Pipeline Patterns: Stages, DAG Pipelines, Includes, and Registry Integration

Calendar February 22, 2026
Cicd
Intermediate
Ci-Pipeline-Design, Gitlab-Ci-Authoring, Pipeline-Optimization
Gitlab, Gitlab-Ci, Pipeline, Cicd, Dag, Artifacts, Caching, Review-Apps, Auto-Devops
Gitlab-Ci, Docker, Kubectl

GitLab CI/CD Pipeline Patterns#

GitLab CI/CD runs pipelines defined in a .gitlab-ci.yml file at the repository root. Every push, merge request, or tag triggers a pipeline consisting of stages that contain jobs. The pipeline configuration is version-controlled alongside your code, so the build process evolves with the application.

Basic .gitlab-ci.yml Structure#

A minimal pipeline defines stages and jobs. Stages run sequentially; jobs within the same stage run in parallel:

stages:
  - build
  - test
  - deploy

build-app:
  stage: build
  image: golang:1.22
  script:
    - go build -o myapp ./cmd/myapp
  artifacts:
    paths:
      - myapp
    expire_in: 1 hour

unit-tests:
  stage: test
  image: golang:1.22
  script:
    - go test ./... -v -coverprofile=coverage.out
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.out

deploy-staging:
  stage: deploy
  image: bitnami/kubectl:latest
  script:
    - kubectl set image deployment/myapp myapp=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  environment:
    name: staging
    url: https://staging.example.com
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Every job must have a stage and a script. The image field specifies the Docker image the job runs inside. If omitted, it falls back to the pipeline-level default image or the runner’s default.