GitLab

Rules Gotchas

• rules: and only:/except: can't mix — use one or the other per job
• First matching rule wins — put specific rules before general ones
• Missing when: defaults to on_success — rules: - if: $CI_COMMIT_TAG runs on tag
• Empty rules array rules: [] means never run — different from no rules at all
• Add - when: never at end to prevent fallthrough — otherwise unmatched conditions may run

Silent Failures

• Protected variables missing on non-protected branches — job runs but variable is empty
• Runner tag mismatch — job stays pending forever with no error
• docker:dind on non-privileged runner — fails with cryptic Docker errors
• Masked variable format invalid — variable exposed in logs anyway

YAML Merge Traps

• extends: doesn't deep merge arrays — scripts, variables arrays get replaced, not appended
• Use !reference [.job, script] to reuse — script: [!reference [.base, script], "my command"]
• include: files can override each other — last one wins for same keys
• Anchors &/* don't work across files — use extends: for cross-file reuse