From d301ebe47c1f5d409803c55a93b616485b7971b0 Mon Sep 17 00:00:00 2001 From: Amir Zarrinkafsh Date: Sun, 3 May 2020 01:05:11 +1000 Subject: [PATCH] [CI] Fix pipeline dependencies (#964) * [CI] Fix pipeline dependencies This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline. The hardcoded pipeline has been changed to reflect the following: ```yaml steps: # Blocking pipeline for master branch deployments (concurrency_group). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" if: build.branch == "master" # Non-blocking pipeline for all others (tagged commits/local branches/PRs). - label: ":pipeline: Setup Pipeline" command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" if: build.branch != "master" - wait: if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). - block: "Public fork needs approval" if: build.pull_request.repository.fork == true # Blocking deployment for master branch deployments (concurrency_group). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" concurrency: 1 concurrency_group: "deployments" depends_on: ~ if: build.branch == "master" # Non-blocking deployment for all others (tagged commits/local branches). - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" depends_on: ~ if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true # Removed dependency optimisation for forked PRs to enforce block step. - label: ":rocket: Setup Deployment" command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" if: build.pull_request.repository.fork == true ``` * [CI] Include upstream hardcoded pipeline in repo --- .buildkite/steps/deployimages.sh | 16 +++++++++++++ .buildkite/upstream.yml | 40 ++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 .buildkite/upstream.yml diff --git a/.buildkite/steps/deployimages.sh b/.buildkite/steps/deployimages.sh index cf517872..bf78ede0 100755 --- a/.buildkite/steps/deployimages.sh +++ b/.buildkite/steps/deployimages.sh @@ -5,6 +5,22 @@ for BUILD_ARCH in amd64 arm32v7 arm64v8; do cat << EOF - label: ":docker: Deploy Image [${BUILD_ARCH}]" command: "authelia-scripts docker push-image --arch=${BUILD_ARCH}" + depends_on: +EOF +if [[ "${BUILD_ARCH}" == "amd64" ]]; then +cat << EOF + - "build-docker-linux-amd64" +EOF +elif [[ "${BUILD_ARCH}" == "arm32v7" ]]; then +cat << EOF + - "build-docker-linux-arm32v7" +EOF +else +cat << EOF + - "build-docker-linux-arm64v8" +EOF +fi +cat << EOF agents: upload: "fast" env: diff --git a/.buildkite/upstream.yml b/.buildkite/upstream.yml new file mode 100644 index 00000000..2b6776f7 --- /dev/null +++ b/.buildkite/upstream.yml @@ -0,0 +1,40 @@ +# This represents the hardcoded pipeline set in Buildkite interface which executes the repo provided dynamic pipeline. +# It is used to ensure that insecure code from external PR cannot be executed before a maintainers approval, to avoid secret leaks. +steps: + # Blocking pipeline for master branch deployments (concurrency_group). + - label: ":pipeline: Setup Pipeline" + command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" + concurrency: 1 + concurrency_group: "deployments" + if: build.branch == "master" + + # Non-blocking pipeline for all others (tagged commits/local branches/PRs). + - label: ":pipeline: Setup Pipeline" + command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" + if: build.branch != "master" + + - wait: + if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/ + + # Manual intervention by team required to deploy for forked PRs (prevent secret leakage). + - block: "Public fork needs approval" + if: build.pull_request.repository.fork == true + + # Blocking deployment for master branch deployments (concurrency_group). + - label: ":rocket: Setup Deployment" + command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" + concurrency: 1 + concurrency_group: "deployments" + depends_on: ~ + if: build.branch == "master" + + # Non-blocking deployment for all others (tagged commits/local branches). + - label: ":rocket: Setup Deployment" + command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" + depends_on: ~ + if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true + + # Removed dependency optimisation for forked PRs to enforce block step. + - label: ":rocket: Setup Deployment" + command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" + if: build.pull_request.repository.fork == true \ No newline at end of file