Ensure deploy tokens variables are not available in the context of only/except

app/models/ci/build.rb

@@ -27,6 +27,7 @@ module Ci
 
     has_one :metadata, class_name: 'Ci::BuildMetadata'
     delegate :timeout, to: :metadata, prefix: true, allow_nil: true
+    delegate :gitlab_deploy_token, to: :project
 
     ##
     # The "environment" field for builds is a String, and is the unexpanded name!
@@ -604,6 +605,8 @@ module Ci
           .append(key: 'CI_REGISTRY_USER', value: CI_REGISTRY_USER)
           .append(key: 'CI_REGISTRY_PASSWORD', value: token, public: false)
           .append(key: 'CI_REPOSITORY_URL', value: repo_url, public: false)
+
+        variables.concat(deploy_token_variables) if gitlab_deploy_token
       end
     end
 
@@ -624,7 +627,6 @@ module Ci
         variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request
         variables.append(key: "CI_JOB_MANUAL", value: 'true') if action?
         variables.concat(legacy_variables)
-        variables.concat(deploy_token_variables) if project.gitlab_deploy_token
       end
     end
 
@@ -657,8 +659,8 @@ module Ci
 
     def deploy_token_variables
       Gitlab::Ci::Variables::Collection.new.tap do |variables|
-        variables.append(key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN_NAME)
-        variables.append(key: 'CI_DEPLOY_PASSWORD', value: project.gitlab_deploy_token.token)
+        variables.append(key: 'CI_DEPLOY_USER', value: gitlab_deploy_token.name)
+        variables.append(key: 'CI_DEPLOY_PASSWORD', value: gitlab_deploy_token.token)
       end
     end
 

doc/ci/environments.md

@@ -260,6 +260,8 @@ are unsupported in environment name context:
 - `CI_REGISTRY_PASSWORD`
 - `CI_REPOSITORY_URL`
 - `CI_ENVIRONMENT_URL`
+- `CI_DEPLOY_USER`
+- `CI_DEPLOY_PASSWORD`
 
 GitLab Runner exposes various [environment variables][variables] when a job runs,
 and as such, you can use them as environment names. Let's add another job in

doc/ci/variables/README.md

@@ -548,6 +548,8 @@ You can find a full list of unsupported variables below:
 - `CI_REGISTRY_PASSWORD`
 - `CI_REPOSITORY_URL`
 - `CI_ENVIRONMENT_URL`
+- `CI_DEPLOY_USER`
+- `CI_DEPLOY_PASSWORD`
 
 These variables are also not supported in a contex of a
 [dynamic environment name][dynamic-environments].

spec/models/ci/build_spec.rb

@@ -2041,7 +2041,7 @@ describe Ci::Build do
 
       let(:deploy_token_variables) do
         [
-          { key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN_NAME, public: true },
+          { key: 'CI_DEPLOY_USER', value: deploy_token.name, public: true },
           { key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true }
         ]
       end
@@ -2058,9 +2058,8 @@ describe Ci::Build do
 
       context 'when gitlab-deploy-token does not exist' do
         it 'should not include deploy token variables' do
-          %w(CI_DEPLOY_USER CI_DEPLOY_PASSWORD).each do |deploy_token_key|
-            expect(subject.find { |v| v[:key] == deploy_token_key}).to be_nil
-          end
+          expect(subject.find { |v| v[:key] == 'CI_DEPLOY_USER'}).to be_nil
+          expect(subject.find { |v| v[:key] == 'CI_DEPLOY_PASSWORD'}).to be_nil
         end
       end
     end
@@ -2112,7 +2111,9 @@ describe Ci::Build do
                   CI_REGISTRY_USER
                   CI_REGISTRY_PASSWORD
                   CI_REPOSITORY_URL
-                  CI_ENVIRONMENT_URL]
+                  CI_ENVIRONMENT_URL
+                  CI_DEPLOY_USER
+                  CI_DEPLOY_PASSWORD]
 
         build.scoped_variables.map { |env| env[:key] }.tap do |names|
           expect(names).not_to include(*keys)

spec/models/project_spec.rb

@@ -3612,7 +3612,7 @@ describe Project do
       it { is_expected.to be_nil }
     end
 
-    context 'when there is a gitlab deploy token associated with a different name' do
+    context 'when there is a deploy token associated with a different name' do
       let!(:deploy_token) { create(:deploy_token, projects: [project]) }
 
       it { is_expected.to be_nil }