diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ec12e4ea967..de51c2b6e13 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,6 +16,22 @@ variables:
   # running on a particular CI farm (ie. for outages, etc):
   FD_FARM: "online"
 
+default:
+  before_script:
+    - echo -e "\e[0Ksection_start:$(date +%s):unset_env_vars_section[collapsed=true]\r\e[0KUnsetting vulnerable environment variables"
+    - export CI_JOB_JWT_FILE="${CI_JOB_JWT_FILE:-$(mktemp)}"
+    - echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}"
+    - unset CI_JOB_JWT
+    - echo -e "\e[0Ksection_end:$(date +%s):unset_env_vars_section\r\e[0K"
+
+  after_script:
+    - >
+      set +x
+
+      test -e "${CI_JOB_JWT_FILE}" &&
+      export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" &&
+      rm "${CI_JOB_JWT_FILE}"
+
 include:
   - project: 'freedesktop/ci-templates'
     ref: 34f4ade99434043f88e164933f570301fd18b125
diff --git a/.gitlab-ci/bare-metal/rootfs-setup.sh b/.gitlab-ci/bare-metal/rootfs-setup.sh
index 0b017454ca6..8adeb2d23ad 100644
--- a/.gitlab-ci/bare-metal/rootfs-setup.sh
+++ b/.gitlab-ci/bare-metal/rootfs-setup.sh
@@ -8,15 +8,20 @@ mkdir -p $rootfs_dst/results
 cp $BM/bm-init.sh $rootfs_dst/init
 cp $CI_COMMON/init*.sh $rootfs_dst/
 
+# Make JWT token available as file in the bare-metal storage to enable access
+# to MinIO
+cp "${CI_JOB_JWT_FILE}" "${rootfs_dst}${CI_JOB_JWT_FILE}"
+
 cp $CI_COMMON/capture-devcoredump.sh $rootfs_dst/
 
 set +x
+
 # Pass through relevant env vars from the gitlab job to the baremetal init script
 "$CI_COMMON"/generate-env.sh > $rootfs_dst/set-job-env-vars.sh
 chmod +x $rootfs_dst/set-job-env-vars.sh
 echo "Variables passed through:"
 cat $rootfs_dst/set-job-env-vars.sh
-echo "export CI_JOB_JWT=${CI_JOB_JWT@Q}" >> $rootfs_dst/set-job-env-vars.sh
+
 set -x
 
 # Add the Mesa drivers we built, and make a consistent symlink to them.
diff --git a/.gitlab-ci/common/generate-env.sh b/.gitlab-ci/common/generate-env.sh
index 05376d4a73d..7978ca3f618 100755
--- a/.gitlab-ci/common/generate-env.sh
+++ b/.gitlab-ci/common/generate-env.sh
@@ -7,6 +7,7 @@ for var in \
     CI_COMMIT_BRANCH \
     CI_COMMIT_TITLE \
     CI_JOB_ID \
+    CI_JOB_JWT_FILE \
     CI_JOB_URL \
     CI_MERGE_REQUEST_SOURCE_BRANCH_NAME \
     CI_MERGE_REQUEST_TITLE \
@@ -20,6 +21,9 @@ for var in \
     CI_PROJECT_ROOT_NAMESPACE \
     CI_RUNNER_DESCRIPTION \
     CI_SERVER_URL \
+    CROSVM_GALLIUM_DRIVER \
+    CROSVM_GPU_ARGS \
+    CROSVM_TEST_SCRIPT \
     DEQP_CASELIST_FILTER \
     DEQP_CASELIST_INV_FILTER \
     DEQP_CONFIG \
@@ -29,6 +33,7 @@ for var in \
     DEQP_RESULTS_DIR \
     DEQP_RUNNER_OPTIONS \
     DEQP_SUITE \
+    DEQP_TEMP_DIR \
     DEQP_VARIANT \
     DEQP_VER \
     DEQP_WIDTH \
@@ -40,6 +45,7 @@ for var in \
     FDO_UPSTREAM_REPO \
     FD_MESA_DEBUG \
     FLAKES_CHANNEL \
+    GALLIUM_DRIVER \
     GPU_VERSION \
     GTEST \
     GTEST_FAILS \
@@ -55,10 +61,11 @@ for var in \
     JOB_ARTIFACTS_BASE \
     JOB_RESULTS_PATH \
     JOB_ROOTFS_OVERLAY_PATH \
+    LD_LIBRARY_PATH \
     MESA_BUILD_PATH \
-    MESA_GL_VERSION_OVERRIDE \
-    MESA_GLSL_VERSION_OVERRIDE \
     MESA_GLES_VERSION_OVERRIDE \
+    MESA_GLSL_VERSION_OVERRIDE \
+    MESA_GL_VERSION_OVERRIDE \
     MESA_VK_IGNORE_CONFORMANCE_WARNING \
     MINIO_HOST \
     NIR_VALIDATE \
@@ -71,11 +78,11 @@ for var in \
     PIGLIT_PLATFORM \
     PIGLIT_PROFILES \
     PIGLIT_REPLAY_ARTIFACTS_BASE_URL \
-    PIGLIT_REPLAY_SUBCOMMAND \
     PIGLIT_REPLAY_DESCRIPTION_FILE \
     PIGLIT_REPLAY_DEVICE_NAME \
     PIGLIT_REPLAY_EXTRA_ARGS \
     PIGLIT_REPLAY_REFERENCE_IMAGES_BASE \
+    PIGLIT_REPLAY_SUBCOMMAND \
     PIGLIT_REPLAY_UPLOAD_TO_MINIO \
     PIGLIT_RESULTS \
     PIGLIT_TESTS \
diff --git a/.gitlab-ci/common/init-stage2.sh b/.gitlab-ci/common/init-stage2.sh
index 53b904156c6..c0669c7f4cf 100755
--- a/.gitlab-ci/common/init-stage2.sh
+++ b/.gitlab-ci/common/init-stage2.sh
@@ -71,7 +71,7 @@ fi
 MINIO=$(cat /proc/cmdline | tr ' ' '\n' | grep minio_results | cut -d '=' -f 2 || true)
 if [ -n "$MINIO" ]; then
   tar -czf results.tar.gz results/;
-  ci-fairy minio login "$CI_JOB_JWT";
+  ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}";
   ci-fairy minio cp results.tar.gz minio://"$MINIO"/results.tar.gz;
 fi
 
diff --git a/.gitlab-ci/container/lava_build.sh b/.gitlab-ci/container/lava_build.sh
index bd0f04021bf..9c4fb35d5b8 100755
--- a/.gitlab-ci/container/lava_build.sh
+++ b/.gitlab-ci/container/lava_build.sh
@@ -205,7 +205,7 @@ popd
 . .gitlab-ci/container/container_post_build.sh
 
 ############### Upload the files!
-ci-fairy minio login $CI_JOB_JWT
+ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}"
 FILES_TO_UPLOAD="lava-rootfs.tgz \
                  $KERNEL_IMAGE_NAME"
 
diff --git a/.gitlab-ci/crosvm-runner.sh b/.gitlab-ci/crosvm-runner.sh
index 6ababc8de92..045201eae18 100755
--- a/.gitlab-ci/crosvm-runner.sh
+++ b/.gitlab-ci/crosvm-runner.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-set -e
+set -ex
 
 # This script can be called concurrently, pass arguments and env in a per-instance tmp dir
 export DEQP_TEMP_DIR=`mktemp -d /tmp.XXXXXXXXXX`
diff --git a/.gitlab-ci/lava/lava-submit.sh b/.gitlab-ci/lava/lava-submit.sh
index 1d3a2453144..59325678dab 100755
--- a/.gitlab-ci/lava/lava-submit.sh
+++ b/.gitlab-ci/lava/lava-submit.sh
@@ -22,7 +22,7 @@ cp artifacts/ci-common/init-*.sh results/job-rootfs-overlay/
 artifacts/ci-common/generate-env.sh > results/job-rootfs-overlay/set-job-env-vars.sh
 
 tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
-ci-fairy minio login "${CI_JOB_JWT}"
+ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}"
 ci-fairy minio cp job-rootfs-overlay.tar.gz "minio://${JOB_ROOTFS_OVERLAY_PATH}"
 
 touch results/lava.log
@@ -39,7 +39,7 @@ artifacts/lava/lava_job_submitter.py \
 	--ci-project-dir ${CI_PROJECT_DIR} \
 	--device-type ${DEVICE_TYPE} \
 	--dtb ${DTB} \
-	--jwt "${CI_JOB_JWT}" \
+	--jwt-file "${CI_JOB_JWT_FILE}" \
 	--kernel-image-name ${KERNEL_IMAGE_NAME} \
 	--kernel-image-type "${KERNEL_IMAGE_TYPE}" \
 	--boot-method ${BOOT_METHOD} \
diff --git a/.gitlab-ci/lava/lava_job_submitter.py b/.gitlab-ci/lava/lava_job_submitter.py
index bf2032c4fe6..5d1f469e7c6 100755
--- a/.gitlab-ci/lava/lava_job_submitter.py
+++ b/.gitlab-ci/lava/lava_job_submitter.py
@@ -25,16 +25,16 @@
 """Send a job to LAVA, track it and collect log back"""
 
 import argparse
-import lavacli
-import os
+import pathlib
 import sys
 import time
 import traceback
 import urllib.parse
 import xmlrpc
-import yaml
-
 from datetime import datetime, timedelta
+
+import lavacli
+import yaml
 from lavacli.utils import loader
 
 # Timeout in minutes to decide if the device from the dispatched LAVA job has
@@ -59,6 +59,18 @@ def fatal_err(msg):
     print_log(msg)
     sys.exit(1)
 
+
+def hide_sensitive_data(yaml_data, hide_tag="HIDEME"):
+    out_data = ""
+
+    for line in yaml_data.splitlines(True):
+        if hide_tag in line:
+            continue
+        out_data += line
+
+    return out_data
+
+
 def generate_lava_yaml(args):
     # General metadata and permissions, plus also inexplicably kernel arguments
     values = {
@@ -140,15 +152,22 @@ def generate_lava_yaml(args):
     #   - fetch and unpack per-job environment from lava-submit.sh
     #   - exec .gitlab-ci/common/init-stage2.sh 
     init_lines = []
+
     with open(args.first_stage_init, 'r') as init_sh:
       init_lines += [ x.rstrip() for x in init_sh if not x.startswith('#') and x.rstrip() ]
+
+    with open(args.jwt_file) as jwt_file:
+        init_lines += [
+            "set +x",
+            f'echo -n "{jwt_file.read()}" > "{args.jwt_file}"  # HIDEME',
+            "set -x",
+        ]
+
     init_lines += [
       'mkdir -p {}'.format(args.ci_project_dir),
       'wget -S --progress=dot:giga -O- {} | tar -xz -C {}'.format(args.mesa_build_url, args.ci_project_dir),
       'wget -S --progress=dot:giga -O- {} | tar -xz -C /'.format(args.job_rootfs_overlay_url),
-      'set +x',
-      'export CI_JOB_JWT="{}"'.format(args.jwt),
-      'set -x',
+      f'echo "export CI_JOB_JWT_FILE={args.jwt_file}" >> /set-job-env-vars.sh',
       'exec /init-stage2.sh',
     ]
     test['definitions'][0]['repository']['run']['steps'] = init_lines
@@ -285,9 +304,7 @@ def main(args):
     yaml_file = generate_lava_yaml(args)
 
     if args.dump_yaml:
-        censored_args = args
-        censored_args.jwt = "jwt-hidden"
-        print(generate_lava_yaml(censored_args))
+        print(hide_sensitive_data(generate_lava_yaml(args)))
 
     if args.validate_only:
         ret = validate_job(proxy, yaml_file)
@@ -318,13 +335,7 @@ def main(args):
         if get_job_results(proxy,  job_id, "0_mesa", "mesa") == True:
              break
 
-
-if __name__ == '__main__':
-    # given that we proxy from DUT -> LAVA dispatcher -> LAVA primary -> us ->
-    # GitLab runner -> GitLab primary -> user, safe to say we don't need any
-    # more buffering
-    sys.stdout.reconfigure(line_buffering=True)
-    sys.stderr.reconfigure(line_buffering=True)
+def create_parser():
     parser = argparse.ArgumentParser("LAVA job submitter")
 
     parser.add_argument("--pipeline-info")
@@ -341,11 +352,22 @@ if __name__ == '__main__':
     parser.add_argument("--kernel-image-type", nargs='?', default="")
     parser.add_argument("--boot-method")
     parser.add_argument("--lava-tags", nargs='?', default="")
-    parser.add_argument("--jwt")
+    parser.add_argument("--jwt-file", type=pathlib.Path)
     parser.add_argument("--validate-only", action='store_true')
     parser.add_argument("--dump-yaml", action='store_true')
     parser.add_argument("--visibility-group")
 
+    return parser
+
+if __name__ == "__main__":
+    # given that we proxy from DUT -> LAVA dispatcher -> LAVA primary -> us ->
+    # GitLab runner -> GitLab primary -> user, safe to say we don't need any
+    # more buffering
+    sys.stdout.reconfigure(line_buffering=True)
+    sys.stderr.reconfigure(line_buffering=True)
+
+    parser = create_parser()
+
     parser.set_defaults(func=main)
     args = parser.parse_args()
     args.func(args)
diff --git a/.gitlab-ci/piglit/run.sh b/.gitlab-ci/piglit/run.sh
index 030e3b48ff5..e8a9cdaaec8 100755
--- a/.gitlab-ci/piglit/run.sh
+++ b/.gitlab-ci/piglit/run.sh
@@ -201,7 +201,7 @@ FAILURE_MESSAGE=$(printf "%s" "Unexpected change in results:")
 
 if [ "x$PIGLIT_PROFILES" = "xreplay" ] \
        && [ ${PIGLIT_REPLAY_UPLOAD_TO_MINIO:-0} -eq 1 ]; then
-    ci-fairy minio login $MINIO_ARGS $CI_JOB_JWT
+    ci-fairy minio login $MINIO_ARGS --token-file "${CI_JOB_JWT_FILE}"
 fi
 
 eval $RUN_CMD
diff --git a/.gitlab-ci/prepare-artifacts.sh b/.gitlab-ci/prepare-artifacts.sh
index cbbe0a318cb..d4fe4029b79 100755
--- a/.gitlab-ci/prepare-artifacts.sh
+++ b/.gitlab-ci/prepare-artifacts.sh
@@ -52,6 +52,6 @@ if [ -n "$MINIO_ARTIFACT_NAME" ]; then
     # Pass needed files to the test stage
     MINIO_ARTIFACT_NAME="$MINIO_ARTIFACT_NAME.tar.gz"
     gzip -c artifacts/install.tar > ${MINIO_ARTIFACT_NAME}
-    ci-fairy minio login $CI_JOB_JWT
+    ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}"
     ci-fairy minio cp ${MINIO_ARTIFACT_NAME} minio://${PIPELINE_ARTIFACTS_BASE}/${MINIO_ARTIFACT_NAME}
 fi
diff --git a/src/freedreno/ci/gitlab-ci.yml b/src/freedreno/ci/gitlab-ci.yml
index 70c9bf99745..d90b7625a54 100644
--- a/src/freedreno/ci/gitlab-ci.yml
+++ b/src/freedreno/ci/gitlab-ci.yml
@@ -265,7 +265,7 @@ a630-traces-restricted:
     - .freedreno-rules-restricted
   variables:
     PIGLIT_REPLAY_DESCRIPTION_FILE: "/install/restricted-traces-freedreno.yml"
-    PIGLIT_REPLAY_EXTRA_ARGS:  --keep-image --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_host=minio-packet.freedesktop.org --minio_bucket=mesa-tracie-private --role-session-name=${CI_PROJECT_PATH}:${CI_JOB_ID} --jwt=${CI_JOB_JWT}
+    PIGLIT_REPLAY_EXTRA_ARGS:  --keep-image --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_host=minio-packet.freedesktop.org --minio_bucket=mesa-tracie-private --role-session-name=${CI_PROJECT_PATH}:${CI_JOB_ID} --jwt-file=${CI_JOB_JWT_FILE}
   allow_failure: true
 
 a630-traces-performance: