From c3bc75f064ef814634a8ed140e2290f5a458c02a Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Thu, 1 Jun 2023 09:02:53 -0700 Subject: [PATCH] Trigger buildkite on external PRs (#496) --- .github/workflows/buildkite-external-prs.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/buildkite-external-prs.yaml diff --git a/.github/workflows/buildkite-external-prs.yaml b/.github/workflows/buildkite-external-prs.yaml new file mode 100644 index 0000000..ceffc57 --- /dev/null +++ b/.github/workflows/buildkite-external-prs.yaml @@ -0,0 +1,23 @@ +name: Trigger Buildkite on External PR + +on: + pull_request: + types: + - labeled + +jobs: + trigger: + # Only intra-repo PRs are allowed to have Buildkite run on them automatically + # In order to allow PRs from third parties to build on Buildkite, we require an org member add a label after the PR has been vetted. + # This will only happen when the label is added, so as to reduce the risk of an innocuous first commit with malicious follow-up commits (after the label was added). + # This means, if the contributor's PR needs changes, someone with the ability to change labels will need to _remove_ the `trigger buildkite` label, _and then re-add it_. + if: github.event.action == 'labeled' && github.event.label.name == 'trigger buildkite' + runs-on: ubuntu-latest + steps: + - name: Trigger a Buildkite Build + uses: "buildkite/trigger-pipeline-action@v1.5.0" + env: + BUILDKITE_API_ACCESS_TOKEN: ${{ secrets.TRIGGER_BK_BUILD_TOKEN }} + PIPELINE: "determinate-systems-inc/nix-installer" + COMMIT: ${{ github.event.pull_request.head.sha }} + MESSAGE: ":github: Triggered from a GitHub Action"