--- # This represents the hardcoded pipeline set in Buildkite interface which executes the repo provided dynamic pipeline. # It is used to ensure that insecure code from external PR cannot be executed before a maintainers approval, to avoid # secret leaks. steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ':pipeline: Setup Pipeline' command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload' concurrency: 1 concurrency_group: 'deployments' if: 'build.branch == "master"' # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ':pipeline: Setup Pipeline' command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload' if: 'build.branch != "master"' - wait: # yamllint disable-line rule:empty-values if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: 'Public fork needs approval' if: 'build.pull_request.repository.fork == true' # Blocking deployment for master branch deployments (concurrency_group). - label: ':rocket: Setup Deployment' command: '.buildkite/deployment.sh | buildkite-agent pipeline upload' concurrency: 1 concurrency_group: 'deployments' depends_on: '~' if: 'build.branch == "master" && build.message !~ /^docs/' # Non-blocking deployment for all others (tagged commits/local branches). - label: ':rocket: Setup Deployment' command: '.buildkite/deployment.sh | buildkite-agent pipeline upload' depends_on: ~ if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length # Removed dependency optimisation for forked PRs to enforce block step. - label: ':rocket: Setup Deployment' command: '.buildkite/deployment.sh | buildkite-agent pipeline upload' if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true' notify: - webhook: '' if: 'build.state == "blocked"' ...