diff --git a/.github/workflows/buildkite-pr-command.yml b/.github/workflows/buildkite-pr-command.yml new file mode 100644 index 00000000..c84ce7fb --- /dev/null +++ b/.github/workflows/buildkite-pr-command.yml @@ -0,0 +1,41 @@ +# Lets a maintainer run Buildkite CI on a pull request on demand -- including fork +# PRs, which Buildkite won't build automatically -- by commenting "buildkite test this". +# Only commenters with write access can trigger it; no fork code runs here (REST API only). +# Requires a repo secret BUILDKITE_API_TOKEN scoped to `write_builds`. +name: "Buildkite: build this PR on demand" + +on: + issue_comment: + types: [created] + +permissions: + contents: read + +jobs: + buildkite-test-this: + if: >- + github.event.issue.pull_request != null && + contains(github.event.comment.body, 'buildkite test this') + runs-on: ubuntu-latest + steps: + - name: Verify commenter has write access + env: + GH_TOKEN: ${{ github.token }} + REPO: ${{ github.repository }} + ACTOR: ${{ github.event.comment.user.login }} + run: | + level=$(gh api "repos/${REPO}/collaborators/${ACTOR}/permission" --jq .permission) + case "$level" in + admin|write|maintain) ;; + *) echo "::error::@${ACTOR} lacks write access (permission: ${level})"; exit 1 ;; + esac + + - name: Trigger Buildkite build + env: + BUILDKITE_API_TOKEN: ${{ secrets.BUILDKITE_API_TOKEN }} + PR: ${{ github.event.issue.number }} + run: | + curl -fsS -X POST \ + -H "Authorization: Bearer ${BUILDKITE_API_TOKEN}" \ + "https://api.buildkite.com/v2/organizations/elastic/pipelines/support-diagnostics/builds" \ + -d "{\"commit\":\"HEAD\",\"branch\":\"refs/pull/${PR}/head\",\"pull_request_id\":${PR},\"pull_request_base_branch\":\"main\"}" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bc740c5c..f84ea104 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,6 +26,20 @@ This is a tool used by the Elastic Support team to collect the necessary data to - Main class: `co.elastic.support.diagnostics.DiagnosticApp` - Program arguments (example): `-o ~/tmp/diag-output -h localhost -u elastic --passwordText changeme`. Put whatever arguments you would like to run the application with as default. +### Running Buildkite CI on a fork pull request + +Buildkite does not automatically build pull requests opened from forks, to +avoid running untrusted code with CI credentials. If you are a maintainer and +want to run the Buildkite pipeline against a fork PR, comment `buildkite test this` +on the PR. This is handled by +[`.github/workflows/buildkite-pr-command.yml`](.github/workflows/buildkite-pr-command.yml), +which only triggers a build for commenters with write/maintain/admin access to +this repository. + +Before commenting, review the PR diff -- particularly any changes under +`.buildkite/`, `Dockerfile*`, or build scripts -- since the triggered build runs +the pipeline as defined in the PR itself. + ### Releasing to Maven Central In order to release the code to Maven Central, you must have a Sonatype account