commit c00c81538b567439c16237ba43d0d1465232b1e0
author Yun Peng <pcloudy@google.com> Wed Sep 25 15:34:14 2024 +0200
committer GitHub <noreply@github.com> Wed Sep 25 15:34:14 2024 +0200
tree 7718a5b3a959c5544c350713e21dfd5ed9587d9b
parent 5296abb2d2d12d39d4dc44eecdde67b57aed5e3f

Add buildkite access token for trusted org (#2042)

Follow up on
https://github.com/bazelbuild/continuous-integration/pull/2041 to add
support for buildkite api access from trusted org so that it inspect the
pipeline build result before publishing the last green commit.

So far the token only has read access to builds.

buildkite/bazelci.py

diff --git a/buildkite/bazelci.py b/buildkite/bazelci.py
index 6b20368..ce8b118 100755
--- a/buildkite/bazelci.py
+++ b/buildkite/bazelci.py
@@ -639,18 +639,24 @@
 
 
 class BuildkiteClient(object):
-    _ENCRYPTED_BUILDKITE_API_TOKEN = """
+    _ENCRYPTED_BUILDKITE_UNTRUSTED_API_TOKEN = """
 CiQA4DEB9ldzC+E39KomywtqXfaQ86hhulgeDsicds2BuvbCYzsSUAAqwcvXZPh9IMWlwWh94J2F
 exosKKaWB0tSRJiPKnv2NPDfEqGul0ZwVjtWeASpugwxxKeLhFhPMcgHMPfndH6j2GEIY6nkKRbP
 uwoRMCwe
 """.strip()
 
-    _ENCRYPTED_BUILDKITE_API_TESTING_TOKEN = """
+    _ENCRYPTED_BUILDKITE_TESTING_API_TOKEN = """
 CiQAMTBkWjL1C+F5oon3+cC1vmum5+c1y5+96WQY44p0Lxd0PeASUQAy7iU0c6E3W5EOSFYfD5fA
 MWy/SHaMno1NQSUa4xDOl5yc2kizrtxPPVkX4x9pLNuGUY/xwAn2n1DdiUdWZNWlY1bX2C4ex65e
 P9w8kNhEbw==
 """.strip()
 
+    _ENCRYPTED_BUILDKITE_TRUSTED_API_TOKEN = """
+CiQAeiOS8AkJ92+STSUmqW/jlR9DKDZdX5PZIWn30PtyKXWE/74SVwC7bbymSHneleAcgXtVJsMu
+2DEEVd/uEGIdiEJigmPAPTs4vtmX/7ZxTsMhJ+rxRYBGufw9LgT+G6Bjg0ETifavKWHGzw+NTgUa
+gwD6RBL0qz1PFfg7Zw==
+""".strip()
+
     _BUILD_STATUS_URL_TEMPLATE = (
         "https://api.buildkite.com/v2/organizations/{}/pipelines/{}/builds/{}"
     )
@@ -671,14 +677,17 @@
     def _get_buildkite_token(self):
         return decrypt_token(
             encrypted_token=(
-                self._ENCRYPTED_BUILDKITE_API_TESTING_TOKEN
-                if THIS_IS_TESTING
-                else self._ENCRYPTED_BUILDKITE_API_TOKEN
+                self._ENCRYPTED_BUILDKITE_TRUSTED_API_TOKEN if THIS_IS_TRUSTED else
+                self._ENCRYPTED_BUILDKITE_TESTING_API_TOKEN if THIS_IS_TESTING else
+                self._ENCRYPTED_BUILDKITE_UNTRUSTED_API_TOKEN
             ),
             kms_key=(
-                "buildkite-testing-api-token"
-                if THIS_IS_TESTING
-                else "buildkite-untrusted-api-token"
+                "buildkite-trusted-api-token" if THIS_IS_TRUSTED else
+                "buildkite-testing-api-token" if THIS_IS_TESTING else
+                "buildkite-untrusted-api-token"
+            ),
+            project=(
+                "bazel-public" if THIS_IS_TRUSTED else "bazel-untrusted"
             ),
         )