{
  lib,
  pkgs,
  helpers,
}: let
  inherit (lib) concatLines mapAttrsToList getExe;
  inherit (helpers) filterJobVariables;
in
  {
    key,
    job,
    jobDeps,
  }: let
    variablesWithoutStorePaths = filterJobVariables false job;
    variableExports = concatLines (
      mapAttrsToList (name: value: "export ${name}=\"${value}\"") variablesWithoutStorePaths
    );
    sandboxHelper = pkgs.writeShellScriptBin "gitlab-ci-job-sandbox-helper" (builtins.readFile ./sandbox_helper.sh);
    actualJobScript = pkgs.writeShellScript "gitlab-ci-job:${key}:raw" ''
      # set up deps and environment variables containing store paths
      . ${jobDeps}
      # normal environment variables
      ${variableExports}
      # run before_script, script and after_script
      echo -e "\e[32mRunning before_script...\e[0m"
      set -x
      ${concatLines (job.before_script or [])}
      { set +x; } 2>/dev/null
      echo -e "\e[32mRunning script...\e[0m"
      set -x
      ${concatLines job.script}
      { set +x; } 2>/dev/null
      echo -e "\e[32mRunning after_script...\e[0m"
      set -x
      ${concatLines (job.after_script or [])}
      { set +x; } 2>/dev/null
    '';
  in
    # this way the sandbox helper just needs to be built once
    pkgs.writeShellScriptBin "gitlab-ci-job:${key}" ''
      exec ${getExe sandboxHelper} ${actualJobScript} $@
    ''
    // {
      passthru = {
        inherit jobDeps actualJobScript;
      };
    }