Surface inherited user-specific environment variables in project-specific environment variables

[gtsiolis]

Problem to solve

Following the work in #7295 to add project-specific environment variables, user-specific environment variables are not visible when a users adds project-specific environment variables.

Food for thought and certainly out of the scope here: This could be also interesting for team-level variables that could be inherited on the project level. However, this could leak variables set at the team level and could impact collaboration and sharing as secrets could leak to team members that only have access to specific repositories linked as projects. 🍔

Proposal

To provide better visibility and user control, we could surface inherited user-specific environment variables in project-specific environment variables.

TBD (To be discussed)

[jankeromnes]

Thanks for filing a follow-up issue! 🙏

user-specific environment variables are visible when a users adds project-specific environment variables.

Sorry, I don't understand this part. Could you please elaborate on this problem?

[gtsiolis]

Oh, I skipped not there. 😬

Updated the description. Do you think this feature request still makes sense to discuss further? I'm probably missing something here.

[jankeromnes]

Aha, makes a lot more sense now 😅 I feel like I should have been able to guess the missing not.

I'm still a bit confused about the second part though (🙈):

This could leak variable set at the user level and also impacts collaboration and sharing.

• I'm not 100% sure what you mean by "leak" here. I guess user-level variables that have a repositoryPattern which matches the project will also get exposed in project workspaces. But, this only happens for project workspaces belonging to that specific user (i.e. user values never "leak" to other users of the project, right?). Also, it's worth noting that we would like to deprecate the repositoryPattern in the future, and it's not yet fully clear what the user-level variables feature looks like without the repositoryPattern.

• I also don't understand the relationship with collaboration and sharing here (sorry for needing so much explaining/handholding 🙈)

[gtsiolis]

@jankeromnes I had team-level environment variables in mind when I was typing that! 😇

Updated the description and re-posting the update below:

Food for thought and certainly out of the scope here: This could be also interesting for team-level variables that could be inherited on the project level. However, this could leak variables set at the team level and could impact collaboration and sharing as secrets could leak to team members that only have access to specific repositories linked as projects. 🍔

[gtsiolis]

Looping in @jldec because #7881.

[svenefftinge]

What does " are not visible" mean?
A: Not visible in the dashboard's project env page (why should they?) or
B: User-level env variables are not passed to a started workspace (which would be a bad bug)?

[gtsiolis]

Re-posting from the updated description in #7532 (comment) as this would be more useful for team-level environment variables:

This could be also interesting for team-level variables that could be inherited on the project level.

The intent of this feature request was to provide better visibility of variables that could potentially leak upon sharing a snapshot or a running workspace. However, this could be resolved with better information upon sharing, shared workspace information, etc.

This also could become a valid issue for team-level environment variables but let's close this until 🅰️ this becomes an issue and 🅱️ there's more demand for team-level variables (see #7881). Thanks, everone for chiming in!