Trigger buildkite on external PRs (#496)

2023-06-01 09:02:53 -07:00 · 2023-06-01 09:02:53 -07:00 · c3bc75f064
parent 7ec5148e6d
commit c3bc75f064
1 changed files with 23 additions and 0 deletions
--- a/.github/workflows/buildkite-external-prs.yaml
+++ b/.github/workflows/buildkite-external-prs.yaml
@ -0,0 +1,23 @@
+name: Trigger Buildkite on External PR
+
+on:
+  pull_request:
+    types:
+      - labeled
+
+jobs:
+  trigger:
+    # Only intra-repo PRs are allowed to have Buildkite run on them automatically
+    # In order to allow PRs from third parties to build on Buildkite, we require an org member add a label after the PR has been vetted.
+    # This will only happen when the label is added, so as to reduce the risk of an innocuous first commit with malicious follow-up commits (after the label was added).
+    # This means, if the contributor's PR needs changes, someone with the ability to change labels will need to _remove_ the `trigger buildkite` label, _and then re-add it_.
+    if: github.event.action == 'labeled' && github.event.label.name == 'trigger buildkite'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger a Buildkite Build
+        uses: "buildkite/trigger-pipeline-action@v1.5.0"
+        env:
+          BUILDKITE_API_ACCESS_TOKEN: ${{ secrets.TRIGGER_BK_BUILD_TOKEN }}
+          PIPELINE: "determinate-systems-inc/nix-installer"
+          COMMIT: ${{ github.event.pull_request.head.sha }}
+          MESSAGE:  ":github: Triggered from a GitHub Action"