Skip to content
Latchkey

What Is a Protected Variable?

A protected variable is a pipeline variable that the CI system injects only when the pipeline runs on a protected branch or tag. Pipelines on other refs, including from forks or unprotected branches, never see its value. It scopes sensitive credentials to trusted refs.

Why it matters

Deploy keys and production secrets must not be exposed to pipelines triggered by arbitrary branches or contributors. Marking a variable protected ensures only trusted, protected refs can read it. This is a core control for keeping deployment credentials out of untrusted pipeline runs.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →