authelia/.buildkite/pipeline.yml

48 lines
2.2 KiB
YAML
Raw Permalink Normal View History

---
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
# This represents the hardcoded pipeline set in Buildkite interface which executes the repo provided dynamic pipeline.
# It is used to ensure that insecure code from external PR cannot be executed before a maintainers approval, to avoid
# secret leaks.
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
steps:
# Blocking pipeline for master branch deployments (concurrency_group).
- label: ':pipeline: Setup Pipeline'
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
concurrency: 1
concurrency_group: 'deployments'
if: 'build.branch == "master"'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
- label: ':pipeline: Setup Pipeline'
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
if: 'build.branch != "master"'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
- wait: # yamllint disable-line rule:empty-values
if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
- block: 'Public fork needs approval'
if: 'build.pull_request.repository.fork == true'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
# Blocking deployment for master branch deployments (concurrency_group).
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
concurrency: 1
concurrency_group: 'deployments'
depends_on: '~'
if: 'build.branch == "master" && build.message !~ /^docs/'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
# Non-blocking deployment for all others (tagged commits/local branches).
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
depends_on: ~
if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length
[CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo
2020-05-02 15:05:11 +00:00
# Removed dependency optimisation for forked PRs to enforce block step.
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true'
notify:
- webhook: '<REDACTED WEBHOOK_URL>'
if: 'build.state == "blocked"'
...