Merge branch 'step_284-revert-variables-on-container' into 'main'

Romuald Atchadé · Romuald Atchadé · commit de4eb103dcb7 · 2026-02-11T13:03:29.000-05:00
Restore environment variables to build container See merge request https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/6333 Merged-by: Romuald Atchadé <ratchade@gitlab.com> Approved-by: Axel von Bertoldi <avonbertoldi@gitlab.com> Approved-by: Cameron Swords <cswords@gitlab.com> Reviewed-by: Cameron Swords <cswords@gitlab.com> Reviewed-by: Romuald Atchadé <ratchade@gitlab.com> Reviewed-by: Axel von Bertoldi <avonbertoldi@gitlab.com>
diff --git a/common/spec/variables.go b/common/spec/variables.go
@@ -50,6 +50,19 @@ func (b Variables) StringList() (variables []string) {
 	return variables
 }
 
+// GetAllVariableNames returns a semicolon-separated list of all variable names
+// that are set in the build. This function is used to pass the list of job variable
+// names to the build container via an environment variable (e.g., RUNNER_JOB_VAR_NAMES),
+// allowing step-runner to identify and filter out job variables from the OS environment.
+func (b Variables) GetAllVariableNames() string {
+	names := make([]string, 0, len(b))
+	for _, variable := range b {
+		names = append(names, variable.Key)
+	}
+
+	return strings.Join(names, ";")
+}
+
 // Get returns the value of a variable, or if a file type variable, the
 // pathname to the saved file containing the value,
 func (b Variables) Get(key string) string {
diff --git a/executors/docker/docker.go b/executors/docker/docker.go
@@ -2,7 +2,9 @@ package docker
 
 import (
 	"bytes"
+	"compress/gzip"
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -58,20 +60,22 @@ const (
 	ExecutorStageCreatingServices     common.ExecutorStage = "docker_creating_services"
 	ExecutorStageCreatingUserVolumes  common.ExecutorStage = "docker_creating_user_volumes"
 	ExecutorStagePullingImage         common.ExecutorStage = "docker_pulling_image"
-)
 
-const ServiceLogOutputLimit = 64 * 1024
+	ServiceLogOutputLimit = 64 * 1024
 
-const (
 	labelServiceType = "service"
 	labelWaitType    = "wait"
-)
 
-// internalFakeTunnelHostname is an internal hostname we provide the Docker client
-// when we provide a tunnelled dialer implementation. Because we're overriding
-// the dialer, this domain should never be used by the client, but we use the
-// reserved TLD ".invalid" for safety.
-const internalFakeTunnelHostname = "http://internal.tunnel.invalid"
+	// internalFakeTunnelHostname is an internal hostname we provide the Docker client
+	// when we provide a tunnelled dialer implementation. Because we're overriding
+	// the dialer, this domain should never be used by the client, but we use the
+	// reserved TLD ".invalid" for safety.
+	internalFakeTunnelHostname = "http://internal.tunnel.invalid"
+
+	// runnerJobVarsNames is the name used to identify the all the job variables names.
+	// It is used to allow step-runner to filter these variables once the gRPC service is started
+	runnerJobVarsNames = "RUNNER_JOB_VAR_NAMES"
+)
 
 var neverRestartPolicy = container.RestartPolicy{Name: "no"}
 
@@ -871,6 +875,11 @@ func (e *executor) createContainerConfig(
 	cmd []string,
 ) (*container.Config, error) {
 	labels := e.prepareContainerLabels(map[string]string{"type": containerType})
+	jobVars, err := e.prepareContainerEnvVariables()
+	if err != nil {
+		return nil, fmt.Errorf("setting job variables: %w", err)
+	}
+
 	config := &container.Config{
 		Image:        image.ID,
 		Hostname:     hostname,
@@ -883,7 +892,7 @@ func (e *executor) createContainerConfig(
 		OpenStdin:    true,
 		StdinOnce:    true,
 		Entrypoint:   e.overwriteEntrypoint(&imageDefinition),
-		Env:          e.Build.GetAllVariables().StringList(),
+		Env:          jobVars.StringList(),
 	}
 
 	//nolint:nestif
@@ -913,6 +922,53 @@ func (e *executor) createContainerConfig(
 	return config, nil
 }
 
+// prepareContainerEnvVariables prepares the environment variables for the build container.
+// When native steps are enabled, it compresses the list of job variable names and adds them
+// to the environment as RUNNER_JOB_VAR_NAMES. This allows step-runner to identify and filter
+// out job variables from the OS environment, preventing environment variable size limit issues.
+//
+// The variable names are gzip-compressed to minimize the size of the RUNNER_JOB_VAR_NAMES
+// environment variable itself, which is important on systems with strict environment limits
+// (particularly Windows).
+//
+// For non-native step builds, the function returns the variables unchanged since step-runner
+// filtering is not needed.
+func (e *executor) prepareContainerEnvVariables() (spec.Variables, error) {
+	vars := e.Build.GetAllVariables()
+
+	if !e.Build.UseNativeSteps() {
+		return vars, nil
+	}
+
+	names := vars.GetAllVariableNames()
+	compressedVarNames, err := gzipString(names)
+	if err != nil {
+		return nil, fmt.Errorf("job variables names compression failed: %w", err)
+	}
+
+	v := append([]spec.Variable{}, vars...)
+	v = append(v, spec.Variable{
+		Key:   runnerJobVarsNames,
+		Value: compressedVarNames,
+	})
+
+	return v, nil
+}
+
+// gzipString compresses a string and returns the compressed string.
+func gzipString(src string) (string, error) {
+	var b bytes.Buffer
+	gz := gzip.NewWriter(&b)
+	if _, err := gz.Write([]byte(src)); err != nil {
+		return "", fmt.Errorf("writing to gzip writer: %w", err)
+	}
+	if err := gz.Close(); err != nil {
+		return "", fmt.Errorf("closing gzip writer: %w", err)
+	}
+
+	return base64.StdEncoding.EncodeToString(b.Bytes()), nil
+}
+
 func (e *executor) getBuildContainerUser(imageDefinition spec.Image) (string, error) {
 	// runner config takes precedence
 	user := e.Config.Docker.User
diff --git a/executors/docker/docker_test.go b/executors/docker/docker_test.go
@@ -3174,3 +3174,87 @@ func testDockerServiceContainerCgroup(
 	require.NoError(t, err)
 	assert.Equal(t, expectedCgroup, hostConfig.CgroupParent, "Service container HostConfig.CgroupParent should be set correctly")
 }
+
+func TestPrepareContainerEnvVariables(t *testing.T) {
+	test.SkipIfGitLabCIOn(t, test.OSWindows)
+
+	tests := map[string]struct {
+		featureFlagEnabled       bool
+		jobVariables             spec.Variables
+		expectedVarNames         []string
+		shouldHaveRunnerVarNames bool
+	}{
+		"feature flag disabled returns variables  unchanged": {
+			featureFlagEnabled: false,
+			jobVariables: spec.Variables{
+				{Key: "VAR1", Value: "value1"},
+				{Key: "VAR2", Value: "value2"},
+			},
+			shouldHaveRunnerVarNames: false,
+		},
+		"feature flag enabled compresses variable names": {
+			featureFlagEnabled: true,
+			jobVariables: spec.Variables{
+				{Key: "VAR1", Value: "value1"},
+				{Key: "VAR2", Value: "value2"},
+				{Key: "VAR3", Value: "value3"},
+			},
+			expectedVarNames:         []string{"VAR1", "VAR2", "VAR3"},
+			shouldHaveRunnerVarNames: true,
+		},
+		"feature flag enabled with empty variables": {
+			featureFlagEnabled:       true,
+			jobVariables:             spec.Variables{},
+			shouldHaveRunnerVarNames: true,
+		},
+		"feature flag enabled with many variables": {
+			featureFlagEnabled: true,
+			jobVariables: spec.Variables{
+				{Key: "LONG_VARIABLE_NAME_1", Value: "value1"},
+				{Key: "LONG_VARIABLE_NAME_2", Value: "value2"},
+				{Key: "LONG_VARIABLE_NAME_3", Value: "value3"},
+			},
+			expectedVarNames:         []string{"LONG_VARIABLE_NAME_1", "LONG_VARIABLE_NAME_2", "LONG_VARIABLE_NAME_3"},
+			shouldHaveRunnerVarNames: true,
+		},
+	}
+
+	for testName, test := range tests {
+		t.Run(testName, func(t *testing.T) {
+			e := &executor{
+				AbstractExecutor: executors.AbstractExecutor{
+					Build: &common.Build{
+						Job: spec.Job{
+							Variables: test.jobVariables,
+						},
+					},
+				},
+			}
+
+			// Set the feature flag
+			if test.featureFlagEnabled {
+				e.Build.ExecutorFeatures.NativeStepsIntegration = test.featureFlagEnabled
+				e.Build.Variables = append(e.Build.Variables, spec.Variable{
+					Key:   featureflags.UseScriptToStepMigration,
+					Value: "true",
+				})
+			}
+
+			result, err := e.prepareContainerEnvVariables()
+
+			require.NoError(t, err)
+			require.NotNil(t, result)
+
+			require.Equal(t, test.shouldHaveRunnerVarNames, checkVariable(result, runnerJobVarsNames))
+		})
+	}
+}
+
+func checkVariable(vars spec.Variables, key string) bool {
+	for i := range vars {
+		if vars[i].Key == key {
+			return true
+		}
+	}
+	return false
+}
diff --git a/go.mod b/go.mod
@@ -80,7 +80,7 @@ require (
 	gitlab.com/gitlab-org/golang-cli-helpers v0.0.0-20220124161940-198f30295e7e
 	gitlab.com/gitlab-org/labkit v1.34.0
 	gitlab.com/gitlab-org/moa v0.0.0-20251209091627-66342f721c88
-	gitlab.com/gitlab-org/step-runner v0.26.0
+	gitlab.com/gitlab-org/step-runner v0.27.0
 	go.mozilla.org/pkcs7 v0.9.0
 	go.uber.org/automaxprocs v1.6.0
 	go.yaml.in/yaml/v3 v3.0.4
diff --git a/go.sum b/go.sum
@@ -604,8 +604,8 @@ gitlab.com/gitlab-org/labkit v1.34.0 h1:wJrUZdfxbZrA9+qvnpk5gYJtceW+p7ceSJSg1BPZ
 gitlab.com/gitlab-org/labkit v1.34.0/go.mod h1:JqQLdgjV/KKAZJ6gvNodaLStmWeTT9mxgJPIEi66VHI=
 gitlab.com/gitlab-org/moa v0.0.0-20251209091627-66342f721c88 h1:GVlo8Pr4wfXI/6UF+Rmi0Yv2l7lwVgFiNBeImgWVeko=
 gitlab.com/gitlab-org/moa v0.0.0-20251209091627-66342f721c88/go.mod h1:024490ksS75/Bi9UoJTu59qY44JuFBAfi5bzGsLIhtY=
-gitlab.com/gitlab-org/step-runner v0.26.0 h1:i9EeEk5HeJFvKB5eaR3XUTSLlaIH4Q17ccsbVQiQ5t0=
-gitlab.com/gitlab-org/step-runner v0.26.0/go.mod h1:KZ7aYYlc/DFt3xxhfygrr0TTlXWdnN+LJEsFC9W/1Sw=
+gitlab.com/gitlab-org/step-runner v0.27.0 h1:8wrnKWv7x3CcSXhJUDLHYkWimWlCp65T5JDmceTiPaw=
+gitlab.com/gitlab-org/step-runner v0.27.0/go.mod h1:KZ7aYYlc/DFt3xxhfygrr0TTlXWdnN+LJEsFC9W/1Sw=
 go.etcd.io/bbolt v1.3.5 h1:XAzx9gjCb0Rxj7EoqcClPD1d5ZBxZJk0jbuoPHenBt0=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI=
