RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/.buildkite/pipeline.yml

48 lines
2.2 KiB
YAML
Raw Blame History

---
# This represents the hardcoded pipeline set in Buildkite interface which executes the repo provided dynamic pipeline.
# It is used to ensure that insecure code from external PR cannot be executed before a maintainers approval, to avoid
# secret leaks.
steps:
# Blocking pipeline for master branch deployments (concurrency_group).
- label: ':pipeline: Setup Pipeline'
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
concurrency: 1
concurrency_group: 'deployments'
if: 'build.branch == "master"'
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
- label: ':pipeline: Setup Pipeline'
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
if: 'build.branch != "master"'
- wait: # yamllint disable-line rule:empty-values
if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
- block: 'Public fork needs approval'
if: 'build.pull_request.repository.fork == true'
# Blocking deployment for master branch deployments (concurrency_group).
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
concurrency: 1
concurrency_group: 'deployments'
depends_on: '~'
if: 'build.branch == "master" && build.message !~ /^docs/'
# Non-blocking deployment for all others (tagged commits/local branches).
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
depends_on: ~
if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length
# Removed dependency optimisation for forked PRs to enforce block step.
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true'
notify:
- webhook: '<REDACTED WEBHOOK_URL>'
if: 'build.state == "blocked"'
...
Reference in New Issue View Git Blame Copy Permalink