authelia/.buildkite/pipeline.yml

48 lines
2.0 KiB
YAML

---
# This represents the hardcoded pipeline set in Buildkite interface which executes the repo provided dynamic pipeline.
# It is used to ensure that insecure code from external PR cannot be executed before a maintainers approval, to avoid
# secret leaks.
steps:
# Blocking pipeline for master branch deployments (concurrency_group).
- label: ":pipeline: Setup Pipeline"
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
concurrency: 1
concurrency_group: "deployments"
if: build.branch == "master"
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
- label: ":pipeline: Setup Pipeline"
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
if: build.branch != "master"
- wait: # yamllint disable-line rule:empty-values
if: build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
- block: "Public fork needs approval"
if: build.pull_request.repository.fork == true
# Blocking deployment for master branch deployments (concurrency_group).
- label: ":rocket: Setup Deployment"
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
concurrency: 1
concurrency_group: "deployments"
depends_on: ~
if: build.branch == "master"
# Non-blocking deployment for all others (tagged commits/local branches).
- label: ":rocket: Setup Deployment"
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
depends_on: ~
if: build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.pull_request.repository.fork != true # yamllint disable-line rule:line-length
# Removed dependency optimisation for forked PRs to enforce block step.
- label: ":rocket: Setup Deployment"
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
if: build.pull_request.repository.fork == true
notify:
- webhook: "<REDACTED WEBHOOK_URL>"
if: build.state == "blocked"
...