Built-in Environment Variables
About 2647 wordsAbout 9 min
Cloud Native Build includes some built-in default environment variables that are read-only and cannot be overwritten. Attempting to override these default environment variables during builds will not take effect.
The following merge-related events include:
pull_requestpull_request.updatepull_request.targetpull_request.approvedpull_request.changes_requestedpull_request.mergeablepull_request.mergedpull_request.comment
Learn more about trigger events.
Basic Variables
Variable Overview
| Variable Name | Description |
|---|---|
| CI | CI identifier, value is true |
| CNB | CNB identifier, value is true |
| CNB_WEB_PROTOCOL | Protocol used by Web |
| CNB_WEB_HOST | HOST used by Web |
| CNB_WEB_ENDPOINT | Complete Web address |
| CNB_API_ENDPOINT | Complete API address |
| CNB_GROUP_SLUG | Repository organization path |
| CNB_GROUP_SLUG_LOWERCASE | Organization path in lowercase format |
| CNB_EVENT | Event name that triggered the build |
| CNB_EVENT_URL | Event-related link |
| CNB_BRANCH | Branch name or Tag name |
| CNB_BRANCH_SHA | SHA of the latest commit on the branch |
| CNB_DEFAULT_BRANCH | Repository default branch |
CI
Value is true, used to identify the current environment as a CI environment.
CNB
Value is true, used to identify the current environment as a CNB build environment.
CNB_WEB_PROTOCOL
Current protocol used by Web, value is http or https.
CNB_WEB_HOST
Current HOST used by Web.
CNB_WEB_ENDPOINT
Complete Web address including protocol, HOST, and path (if any).
CNB_API_ENDPOINT
Complete API address including protocol, HOST, and path (if any).
Can be used with CNB_TOKEN to call API interfaces in CI.
CNB_GROUP_SLUG
Repository organization path.
CNB_GROUP_SLUG_LOWERCASE
Lowercase format of the repository organization path.
CNB_EVENT
Value is the event name that triggered the build.
See events for event types.
CNB_EVENT_URL
Event-related link, value rules are as follows:
| Trigger Event | Variable Value |
|---|---|
| Merge-related events | PR link |
| Issue-related events | Issue link |
| Other events | CNB_COMMIT link |
CNB_BRANCH
Branch name or Tag name, value rules are as follows:
| Trigger Event | Variable Value |
|---|---|
| Merge-related events | Target branch name |
| Tag-related events | Tag name |
| Other events | Corresponding branch name |
CNB_BRANCH_SHA
SHA of the latest commit on the branch, value rules are as follows:
| Trigger Event | Variable Value |
|---|---|
branch.delete | No value |
| Other events | SHA of the latest commit on CNB_BRANCH |
CNB_DEFAULT_BRANCH
Repository default branch.
CNB_TOKEN_USER_NAME
Username corresponding to the user temporary token, fixed as cnb.
CNB_TOKEN
Temporary token used by users during pipeline execution. It is automatically destroyed after the pipeline completes. This token can be used for pulling and pushing code and artifacts, as well as for API calls.
Permission Assignment
The assignment of permissions depends on the type of event that triggers the pipeline:
Untrusted Events (refer to Untrusted Events):
| Event Type | Permission Scope |
|---|---|
| NPC events with work mode enabled | Current repository, read and write permissions |
| NPC events without work mode enabled or other untrusted events | Current repository, read-only permissions |
Detailed Permission List:
NPC Events with Work Mode Enabled:
| Permission Item | Description |
|---|---|
repo-code:rw | Code read and write |
repo-pr:rw | PR read and write |
repo-issue:rw | Issue read and write |
repo-notes:rw | Comments read and write |
repo-contents:rw | Contents read and write |
repo-basic-info:r | Basic info read-only |
NPC Events without Work Mode Enabled or Other Untrusted Events:
| Permission Item | Description |
|---|---|
repo-code:r | Code read-only |
repo-pr:r | PR read-only |
repo-issue:r | Issue read-only |
repo-notes:rw | Comments read and write |
repo-contents:r | Contents read-only |
registry-package:r | Artifact repository read-only |
account-profile:r | User info read-only |
Other Trusted Events:
| Permission Item | Description |
|---|---|
repo-code:rw | Code read and write |
repo-pr:rw | PR read and write |
repo-issue:rw | Issue read and write |
repo-notes:rw | Comments read and write |
repo-contents:rw | Contents read and write |
registry-package:rw | Artifact repository read and write |
repo-cnb-trigger:rw | Trigger read and write |
repo-cnb-history:r | Build history read-only |
repo-cnb-detail:r | Build details read-only |
repo-basic-info:r | Basic info, read-only |
repo-manage:r | Repository management read-only |
account-profile:r | User info read-only |
group-resource:r | Organization resources read-only |
Permission Description
For specific permission meanings, refer to the Access Tokens section on the Personal Settings page.
Security Restrictions
- For pipelines in public repositories, this token's permissions are restricted to public repositories/artifact repositories only.
- For NPC events, this token's permissions are restricted to the current repository.
- For pipelines in forked repositories, this token's permissions are restricted to the current repository.
TWINE_USERNAME
PyPI artifact repository username, same as CNB_TOKEN_USER_NAME.
TWINE_PASSWORD
PyPI artifact repository password, same as CNB_TOKEN.
CNB_TOKEN_FOR_AI
User token, only supported in merge-related events, issue.open, issue.close, ai_issue, ai_review, NPC events, indicating that the caller's identity is AI. Permissions and scope are the same as CNB_TOKEN.
Usage Scenario:
When posting comments generated by AI in a merge request, this token can be used to call the OpenAPI for posting comments. An AI marker will be added on the page to indicate that the comment is from AI.
CNB_TOKEN_FOR_CODEBUDDY
User token, indicating that the caller's identity is CodeBuddy. Otherwise same as CNB_TOKEN_FOR_AI.
CNB_IS_CRONEVENT
Whether it's a scheduled task event.
CNB_DOCKER_REGISTRY
Artifact repository Docker registry address.
CNB_DOCKER_MODEL_REGISTRY
Artifact repository Docker model registry address.
CNB_HELM_REGISTRY
Artifact repository Helm registry address.
CNB_HAS_LFS_FILES
Whether there are LFS files.
Tips
If the repository has emptied LFS files, it will still be true before Git GC.
Commit Variables
Commit Variable Overview
| Variable Name | Description |
|---|---|
| CNB_BEFORE_SHA | SHA of the latest commit before branch push |
| CNB_COMMIT | Code SHA corresponding to the build |
| CNB_COMMIT_SHORT | First 8 characters of CNB_COMMIT |
| CNB_COMMIT_MESSAGE | Commit message |
| CNB_COMMIT_MESSAGE_TITLE | Commit message title |
| CNB_COMMITTER | Committer |
| CNB_COMMITTER_EMAIL | Committer email |
| CNB_NEW_COMMITS_COUNT | Number of new commits |
| CNB_IS_TAG | Whether it's a Tag build |
| CNB_TAG_MESSAGE | Tag message |
| CNB_TAG_RELEASE_TITLE | Release title |
| CNB_TAG_RELEASE_DESC | Release description |
| CNB_TAG_IS_RELEASE | Whether Tag has corresponding Release |
| CNB_TAG_IS_PRE_RELEASE | Whether it's a pre-release Release |
| CNB_IS_NEW_BRANCH | Whether it's a newly created branch |
| CNB_IS_NEW_BRANCH_WITH_UPDATE | Whether it's a new branch with new commits |
CNB_BEFORE_SHA
SHA of the latest commit on that branch in the remote repository before the branch was pushed.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
push, commit.add | SHA of the latest commit before branch push |
| New branch creation | 0000000000000000000000000000000000000000 |
branch.create | 0000000000000000000000000000000000000000 |
CNB_COMMIT
Code SHA corresponding to the build.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
push, commit.add, branch.create | SHA of the latest commit |
tag_push, tag_deploy.* | SHA of the latest commit on that Tag |
auto_tag, branch.delete, issue.*, NPC events | SHA of the latest commit on the main branch |
pull_request.merged | SHA after merge |
pull_request.target, pull_request.mergeable | SHA of the latest commit on the target branch |
pull_request, pull_request.approved, pull_request.changes_requested, pull_request.comment | SHA of the latest commit on the source branch |
| Workspaces, custom events | SHA of the latest commit on the specified branch |
Tips
For pull_request and similar events, the code hasn't actually been merged yet, so it takes the SHA of the latest commit on the source branch. However, during the build, a pre-merge will be performed, meaning the merged content will be used as the final result.
CNB_COMMIT_SHORT
Abbreviation of CNB_COMMIT, taking its first 8 characters.
CNB_COMMIT_MESSAGE
Commit message corresponding to CNB_COMMIT.
CNB_COMMIT_MESSAGE_TITLE
The title part of CNB_COMMIT_MESSAGE, i.e., the first line.
CNB_COMMITTER
Committer corresponding to CNB_COMMIT.
CNB_COMMITTER_EMAIL
Email corresponding to CNB_COMMITTER.
CNB_NEW_COMMITS_COUNT
For builds triggered by commit.add, the value is the number of new Commits.
Can be combined with git log -n to view the new Commits.
CNB_IS_TAG
For builds where the branch is a Tag, the value is true.
CNB_TAG_MESSAGE
Tag message.
CNB_TAG_RELEASE_TITLE
Release title.
CNB_TAG_RELEASE_DESC
Release description.
CNB_TAG_IS_RELEASE
Whether the Tag has a corresponding Release.
Value Rules:
| Condition | Variable Value |
|---|---|
| Branch is Tag and has corresponding Release | true |
| Other cases | false |
CNB_TAG_IS_PRE_RELEASE
Whether it's a pre-release Release.
Value Rules:
| Condition | Variable Value |
|---|---|
| Branch is Tag, has corresponding Release, and is pre-release | true |
| Other cases | false |
CNB_IS_NEW_BRANCH
Whether the current branch belongs to a newly created branch, default is false.
CNB_IS_NEW_BRANCH_WITH_UPDATE
Whether the current branch belongs to a newly created branch and has new commits, default is false.
Repository Variables
Repository Variable Overview
| Variable Name | Description |
|---|---|
| CNB_REPO_SLUG | Repository path |
| CNB_REPO_SLUG_LOWERCASE | Repository path in lowercase format |
| CNB_REPO_NAME | Repository name |
| CNB_REPO_NAME_LOWERCASE | Repository name in lowercase format |
| CNB_REPO_ID | Repository ID |
| CNB_REPO_URL_HTTPS | Repository HTTPS address |
CNB_REPO_SLUG
Target repository path in format group_slug/repo_name or group_slug/sub_group_slug/.../repo_name.
CNB_REPO_SLUG_LOWERCASE
Lowercase format of the target repository path.
CNB_REPO_NAME
Target repository name.
CNB_REPO_NAME_LOWERCASE
Lowercase format of the target repository name.
CNB_REPO_ID
Target repository ID.
CNB_REPO_URL_HTTPS
HTTPS address of the target repository.
CNB_FORK_FROM_REPO_SLUG
Path to the source repository of the forked repository
Build Variables
Build Variable Overview
| Variable Name | Description |
|---|---|
| CNB_BUILD_ID | Build serial number |
| CNB_BUILD_WEB_URL | Build log address |
| CNB_BUILD_START_TIME | Build start time |
| CNB_BUILD_USER | Trigger username |
| CNB_BUILD_USER_NICKNAME | Trigger nickname |
| CNB_BUILD_USER_EMAIL | Trigger email |
| CNB_BUILD_USER_ID | Trigger ID |
| CNB_BUILD_USER_NPC_SLUG | NPC repository path |
| CNB_BUILD_USER_NPC_NAME | NPC role name |
| CNB_BUILD_STAGE_NAME | Stage name |
| CNB_BUILD_JOB_NAME | Job name |
| CNB_BUILD_JOB_KEY | Job Key |
| CNB_BUILD_WORKSPACE | Workspace root directory |
| CNB_BUILD_FAILED_MSG | Build failure error message |
| CNB_BUILD_FAILED_STAGE_NAME | Failed Stage name |
| CNB_PIPELINE_NAME | Pipeline name |
| CNB_PIPELINE_KEY | Pipeline Key |
| CNB_PIPELINE_ID | Pipeline ID |
| CNB_PIPELINE_DOCKER_IMAGE | Pipeline Docker image |
| CNB_PIPELINE_STATUS | Pipeline build status |
| CNB_PIPELINE_MAX_RUN_TIME | Pipeline maximum run time |
| CNB_RUNNER_IP | Runner IP |
| CNB_CPUS | Available CPU cores |
| CNB_MEMORY | Available memory size |
| CNB_IS_RETRY | Whether triggered by rebuild |
| HUSKY_SKIP_INSTALL | Husky compatibility identifier |
CNB_BUILD_ID
Current build serial number, globally unique.
CNB_BUILD_WEB_URL
Current build log address.
CNB_BUILD_START_TIME
Current build start time in UTC format, example 2025-08-21T09:13:45.803Z.
CNB_BUILD_USER
Current build trigger username.
CNB_BUILD_USER_NICKNAME
Current build trigger nickname.
CNB_BUILD_USER_EMAIL
Current build trigger email.
CNB_BUILD_USER_ID
Current build trigger ID.
CNB_BUILD_USER_NPC_SLUG
If the current build is triggered by an NPC, this is the repository path to which the NPC belongs.
CNB_BUILD_USER_NPC_NAME
If the current build is triggered by an NPC, this is the NPC role name.
CNB_BUILD_STAGE_NAME
Current build Stage name.
CNB_BUILD_JOB_NAME
Current build Job name.
CNB_BUILD_JOB_KEY
Current build Job Key, unique within the same Stage.
CNB_BUILD_WORKSPACE
Custom Shell script execution workspace root directory.
CNB_BUILD_FAILED_MSG
Pipeline build failure error message, can be used in failStages.
CNB_BUILD_FAILED_STAGE_NAME
Pipeline build failure Stage name, can be used in failStages.
CNB_PIPELINE_NAME
Current Pipeline name, empty if not declared.
CNB_PIPELINE_KEY
Current Pipeline index Key, e.g., pipeline-0.
CNB_PIPELINE_ID
Current Pipeline ID, globally unique string.
CNB_PIPELINE_DOCKER_IMAGE
Docker image used by the current Pipeline, e.g., alpine:latest.
CNB_PIPELINE_STATUS
Current pipeline build status, can be viewed in endStages.
Possible Values:
| Status Value | Description |
|---|---|
success | Pipeline build completed successfully |
error | Error occurred during pipeline build |
cancel | Pipeline build was canceled |
CNB_PIPELINE_MAX_RUN_TIME
Pipeline maximum run time in milliseconds.
CNB_RUNNER_IP
IP of the Runner where the current Pipeline is located.
CNB_CPUS
Maximum CPU cores available for the current build pipeline.
CNB_MEMORY
Maximum memory size available for the current build pipeline, in GiB.
CNB_IS_RETRY
Whether the current build was triggered by rebuild.
HUSKY_SKIP_INSTALL
Husky compatibility in CI environment.
Merge-Related Variables
Merge-Related Variable Overview
| Variable Name | Description |
|---|---|
| CNB_PULL_REQUEST | Whether triggered by PR |
| CNB_PULL_REQUEST_LIKE | Whether triggered by merge-related events |
| CNB_PULL_REQUEST_PROPOSER | PR proposer |
| CNB_PULL_REQUEST_TITLE | PR title |
| CNB_PULL_REQUEST_DESCRIPTION | PR description |
| CNB_PULL_REQUEST_BRANCH | PR source branch name |
| CNB_PULL_REQUEST_SHA | PR source branch latest SHA |
| CNB_PULL_REQUEST_TARGET_SHA | PR target branch latest SHA |
| CNB_PULL_REQUEST_MERGE_SHA | PR merged SHA |
| CNB_PULL_REQUEST_SLUG | Source repository Slug |
| CNB_PULL_REQUEST_ACTION | PR operation type |
| CNB_PULL_REQUEST_ID | PR globally unique ID |
| CNB_PULL_REQUEST_IID | PR repository number |
| CNB_PULL_REQUEST_REVIEWERS | Reviewer list |
| CNB_PULL_REQUEST_REVIEW_STATE | Review status |
| CNB_REVIEW_REVIEWED_BY | Approved reviewer list |
| CNB_REVIEW_LAST_REVIEWED_BY | Last approved reviewer |
| CNB_PULL_REQUEST_IS_WIP | Whether PR is WIP |
CNB_PULL_REQUEST
Whether triggered by PR.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
pull_request, pull_request.update, pull_request.target | true |
| Other events | false |
CNB_PULL_REQUEST_LIKE
Whether triggered by merge-related events.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
| Merge-related events | true |
| Other events | false |
CNB_PULL_REQUEST_PROPOSER
PR proposer name.
CNB_PULL_REQUEST_TITLE
PR title.
CNB_PULL_REQUEST_DESCRIPTION
PR description.
CNB_PULL_REQUEST_BRANCH
PR source branch name.
CNB_PULL_REQUEST_SHA
SHA of the latest commit on the PR source branch.
CNB_PULL_REQUEST_TARGET_SHA
SHA of the latest commit on the PR target branch.
CNB_PULL_REQUEST_MERGE_SHA
SHA after PR merge.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
pull_request.merged | SHA after PR merge |
pull_request, pull_request.update, pull_request.target, pull_request.mergeable, pull_request.comment | SHA after PR pre-merge |
| Other events | No value |
CNB_PULL_REQUEST_SLUG
Source repository path for merge-related events, in format group_slug/repo_name or group_slug/sub_group_slug/.../repo_name.
CNB_PULL_REQUEST_ACTION
PR operation type.
Possible Values:
| Value | Description |
|---|---|
created | New PR created |
code_update | Source branch push |
status_update | PR becomes mergeable when review approved or CI status changes |
CNB_PULL_REQUEST_ID
PR globally unique ID.
CNB_PULL_REQUEST_IID
PR number IID in the repository.
CNB_PULL_REQUEST_REVIEWERS
Reviewer list, multiple separated by ,.
CNB_PULL_REQUEST_REVIEW_STATE
Review status.
Value Rules:
| Condition | Variable Value |
|---|---|
| Has reviewers and someone approved | approve |
| Has reviewers but no one approved | unapprove |
| Other cases | No value |
CNB_REVIEW_REVIEWED_BY
List of approved reviewers, multiple separated by ,.
CNB_REVIEW_LAST_REVIEWED_BY
Last approved reviewer.
CNB_PULL_REQUEST_IS_WIP
Whether the PR is set to WIP.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
| Merge-related events | true or false |
| Other events | No value |
Workspaces Variables
Workspaces Variable Overview
| Variable Name | Description |
|---|---|
| CNB_VSCODE_WEB_URL | Workspaces address |
| CNB_VSCODE_MAX_RUN_TIME | Workspaces maximum run time |
CNB_VSCODE_WEB_URL
Workspaces address, only exists when services: vscode is declared.
CNB_VSCODE_MAX_RUN_TIME
Workspaces environment maximum run time in milliseconds, only exists when services: vscode is declared.
Issue Variables
Issue Variable Overview
| Variable Name | Description |
|---|---|
| CNB_ISSUE_ID | Issue globally unique ID |
| CNB_ISSUE_IID | Issue repository number |
| CNB_ISSUE_TITLE | Issue title |
| CNB_ISSUE_DESCRIPTION | Issue description |
| CNB_ISSUE_OWNER | Issue author |
| CNB_ISSUE_STATE | Issue status |
| CNB_ISSUE_IS_RESOLVED | Whether Issue is resolved |
| CNB_ISSUE_ASSIGNEES | Issue assignee list |
| CNB_ISSUE_LABELS | Issue label list |
| CNB_ISSUE_PRIORITY | Issue priority |
CNB_ISSUE_ID
Issue globally unique ID.
CNB_ISSUE_IID
Issue number IID in the repository.
CNB_ISSUE_TITLE
Issue title.
CNB_ISSUE_DESCRIPTION
Issue description.
CNB_ISSUE_OWNER
Issue author username.
CNB_ISSUE_STATE
Issue status.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
issue.* | open or closed |
| Other events | Empty string |
CNB_ISSUE_IS_RESOLVED
Whether the Issue is resolved.
Value Rules:
| Trigger Event | Variable Value |
|---|---|
issue.* | true or false |
| Other events | Empty string |
CNB_ISSUE_ASSIGNEES
Issue assignee username list, multiple separated by ,.
CNB_ISSUE_LABELS
Issue label list, multiple separated by ,.
CNB_ISSUE_PRIORITY
Issue priority.
Comment Variables
Comment Variable Overview
| Variable Name | Description |
|---|---|
| CNB_COMMENT_ID | Comment globally unique ID |
| CNB_COMMENT_BODY | Comment content |
| CNB_COMMENT_TYPE | Comment type |
| CNB_COMMENT_FILE_PATH | Comment file |
| CNB_COMMENT_RANGE | Comment code line |
| CNB_REVIEW_ID | Review ID |
| CNB_REVIEW_DESCRIPTION | Review description |
CNB_COMMENT_ID
Comment globally unique ID.
CNB_COMMENT_BODY
Comment content.
CNB_COMMENT_TYPE
Comment type.
Value Rules:
| Comment Type | Variable Value |
|---|---|
| PR code review comment | diff_note |
| PR non-code review comment and Issue comment | note |
| Other cases | No value |
CNB_COMMENT_FILE_PATH
PR code review, file where the comment is located.
CNB_COMMENT_RANGE
PR code review, code line where the comment is located, e.g., L12 (single line) or L13-L16 (multiple lines).
CNB_REVIEW_ID
PR code review ID.
CNB_REVIEW_DESCRIPTION
PR code review description.
NPC Variables
NPC Variable Overview
| Variable Name | Description |
|---|---|
| CNB_NPC_SLUG | NPC repository path |
| CNB_NPC_SLUG_LOWERCASE | NPC repository path in lowercase format |
| CNB_NPC_NAME | NPC role name |
| CNB_NPC_SHA | NPC repository default branch latest SHA |
| CNB_NPC_PROMPT | NPC role Prompt |
| CNB_NPC_AVATAR | NPC role avatar |
| CNB_NPC_ENABLE_THINKING | Whether NPC has thinking enabled |
| CNB_NPC_ENABLE_WORKMODE | Whether NPC has work mode enabled |
CNB_NPC_SLUG
NPC repository path.
No value if it's a system NPC.
CNB_NPC_SLUG_LOWERCASE
Lowercase format of the NPC repository path.
No value if it's a system NPC.
CNB_NPC_NAME
NPC role name.
CNB_NPC_SHA
SHA of the latest commit on the NPC repository default branch.
No value if it's a system NPC.
CNB_NPC_PROMPT
NPC role Prompt.
No value if it's a system NPC.
CNB_NPC_AVATAR
NPC role avatar.
No value if it's a system NPC.
CNB_NPC_ENABLE_THINKING
Whether the NPC role has thinking enabled.
No value if it's a system NPC.
CNB_NPC_ENABLE_WORKMODE
Whether the NPC role has work mode enabled. In work mode, the NPC has higher permissions, refer to CNB_TOKEN.
No value if it's a system NPC.