try leaking a secret

Author: nkammah

.buildkite/build_pr_pipeline.yml

@@ -1,19 +1,23 @@
 steps:
   - key: "build-pr-setup"
     label: "setup"
-    command: .buildkite/scripts/build_pr_setup.sh
+    command: ".buildkite/scripts/build_pr_commit_status.sh pending 'Build started'"
   - key: "build-pr"
     label: ":hammer: Build docs PR"
-    command: |
-      bash .buildkite/scripts/build_pr.sh
+    command: echo 'hello' #".buildkite/scripts/build_pr.sh"
     depends_on:
       - step: build-pr-setup
         allow_failure: true
     agents:
       provider: "gcp"
       image: family/docs-ubuntu-2204
-  - command: ".buildkite/scripts/build_pr_teardown.sh || true"
+  - command: ".buildkite/scripts/build_pr_commit_status.sh || true"
     label: "teardown"
+    command: |
+      if [ $(buildkite-agent step get "outcome" --step "build-pr") == "passed" ]; then
+        .buildkite/scripts/build_pr_commit_status.sh 'success' 'Build finished'
+      else
+        .buildkite/scripts/build_pr_commit_status.sh 'failure' 'Build finished'
+      fi
     depends_on:
       - step: "build-pr"
-        allow_failure: true

.buildkite/hooks/pre-command

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -euo pipefail
+
+function retry {
+    local retries=$1
+    shift
+
+    local count=0
+    until "$@"; do
+        exit=$?
+        wait=$((2 ** count))
+        count=$((count + 1))
+        if [ $count -lt "$retries" ]; then
+            >&2 echo "Retry $count/$retries exited $exit, retrying in $wait seconds..."
+            sleep $wait
+        else
+            >&2 echo "Retry $count/$retries exited $exit, no more retries left."
+            return $exit
+        fi
+    done
+    return 0
+}
+
+# Secrets must be redacted
+# https://buildkite.com/docs/pipelines/managing-log-output#redacted-environment-variables
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "docs-build-pr" ]];then
+    export GITHUB_TOKEN=$(retry 5 vault kv get -field=value secret/ci/elastic-docs/docs_preview_cleaner)
+fi

.buildkite/scripts/build_pr_teardown.sh renamed to .buildkite/scripts/build_pr_commit_status.sh

@@ -6,22 +6,34 @@ set -euo pipefail
 if [ -z ${GITHUB_PR_OWNER+set} ] || [ -z ${GITHUB_PR_REPO+set} ] || [ -z ${GITHUB_PR_TRIGGERED_SHA+set} ];then
   exit 0
 fi
-exit 1
-gitHubToken=$(vault read -field=value secret/ci/elastic-docs/docs_preview_cleaner)
 
-if [ $(buildkite-agent step get "outcome" --step "build-pr") == "passed" ]; then
-  status_state="success"
-else
-  status_state="failure"
+
+if [ $# -lt 2 ]; then
+  echo "Usage: $0 <state> <description>"
+  exit 1
 fi
 
+status_state=$1
+description=$2
+
+case $status_state in
+    pending|success|failure|error)
+      echo "Setting buildkite/docs commit status to ${status_state}";;
+    *)
+      echo "Invalid state"
+      exit 1;;
+esac
+set -x
+echo "The value of my secret is $MY_SECRET"
+
 githubPublishStatus="https://api.github.com/repos/${GITHUB_PR_OWNER}/${GITHUB_PR_REPO}/statuses/${GITHUB_PR_TRIGGERED_SHA}"
-data='{"state":"'$status_state'","target_url":"'$BUILDKITE_BUILD_URL'","description":"Build finished.","context":"buildkite/'$BUILDKITE_PIPELINE_SLUG'"}'
-echo "Setting buildkite/docs commit status to ${status_state}"
+
+data='{"state":"'$status_state'","target_url":"'$BUILDKITE_BUILD_URL'","description":"'$description'","context":"buildkite/'$BUILDKITE_PIPELINE_SLUG'"}'
+
 curl -s -L \
   -X POST \
   -H "Accept: application/vnd.github+json" \
-  -H "Authorization: Bearer ${gitHubToken}" \
+  -H "Authorization: Bearer ${GITHUB_TOKEN}" \
   -H "X-GitHub-Api-Version: 2022-11-28" \
   "${githubPublishStatus}" \
   -d "${data}"

.buildkite/scripts/build_pr_setup.sh

@@ -2,6 +2,19 @@
 
 set -euo pipefail
 
+echo "The value is $MY_SECRET"
+
+state=$(buildkite-agent step get "state" --step "build-pr-setup")
+echo "State of build-pr-setup is $state"
+
+state=$(buildkite-agent step get "outcome" --step "build-pr-setup")
+echo "outcome of build-pr-setup is $state"
+
+state=$(buildkite-agent step get "state" --step "build-pr")
+echo "State is $state"
+
+state=$(buildkite-agent step get "outcome" --step "build-pr")
+echo "outcome of build-pr is $state"
 # Configure the git author and committer information
 export GIT_AUTHOR_NAME='Buildkite CI'
 export GIT_AUTHOR_EMAIL='[email protected]'