Play nice with GitHub applications

[jeffparsons]

TL;DR: If this isn't possible, could you please hack (INSERT INTO ...) stile-bors-ng[bot]@users.noreply.github.com onto my account? 😁

Similar to https://github.com/buildkite/feedback/issues/258, but for the fake email addresses generated for GitHub applications.

I'm currently trying to set up a private deployment of the Bors merge bot for use in our GitHub organisation. I'm most of the way there, but I'm currently stuck on Buildkite refusing to trigger builds because it doesn't recognise the GitHub application's commits as being associated with any Buildkite users.

2018-02-09 03:44:21 FATAL Failed to upload and process pipeline: POST https://agent.buildkite.com/v3/jobs/73236d70-e406-4fbb-9e16-5c7d97fedc46/pipelines: 422 Builds cannot be triggered from this pipeline as there is no Buildkite user linked to this build. Ensure that a user has added "stile-bors-ng[bot]@users.noreply.github.com" as a verified email address on their account.

I tried adding stile-bors-ng[bot]@users.noreply.github.com to my own account, but Buildkite rejected the address (because of special characters) no matter how I quoted it. I'm guessing trying to push down this path would be futile anyway because there's no way I can verify the address.

I'm not even sure what "play nice with GitHub applications" would actually look like in Buildkite. Come to think of it, I'm not sure why the email address associated a commit needs to be "verified"; I haven't been signing any of my commits, and yet (if I'm not mistaken) Buildkite will perfectly happily match the email address on the commit (which can be spoofed) with my Buildkite account, and use the permissions from my Buildkite account for that build. So I don't actually understand how all this is supposed to fit together. 😅

If nothing along these lines is really feasible, I'd be perfectly happy to have that bot email address manually inserted as as a "verified email" on my Buildkite account instead.

[lox]

Thanks @jeffparsons, we will figure out how to make this work.

[jeffparsons]

Got your email. Thanks a bunch, @lox. 🎉🙏

[JensRantil]

Any progress here? We are also interesting in making this work.

[keithpitt]

@JensRantil 👋 yeah, we've got a solution to get GitHub application bots working! If you shoot us an email with what bot you want to use, and your BK organisation - we'll be able to help you out. I'll close this issue for now!

[jeffparsons]

Can confirm: Buildkite folks are really awesome. :)

[dan-lee]

I guess this is related:

We've got a public repository on GitHub which should also trigger a Buildkite pipeline for some internal stuff, but we are facing the very same issue:

422 Builds cannot be triggered from this pipeline as there is no Buildkite user linked to this build. Ensure that a user has added "dan-lee@users.noreply.github.com" as a verified email address on their account. (Attempt 1/5 Retrying in 1s)

Is there anything we can do to trigger builds anonymously for this pipeline?

[ivan-kolmychek]

Yep, same here as in @dan-lee case. Maybe we should create separate issue for this?

[ivan-kolmychek]

As feedback has been moving to discourse, I created a "Trigger step and commits from external contributors in public repos" thread there.

[mgoodings]

@dan-lee @ivan-kolmychek I made a thing: https://github.com/mgoodings/assume-identity-buildkite-plugin

[toolmantim]

For future travelers, we now have support for easily adding bot users to your BK org.

For dependabot, If you invite ‪support@dependabot.com‬ to your org, it'll automatically accept the invite and skip billing. You'll be able to add it to whatever teams you see fit. And it’s a bot user, managed by us, that has no ability to login.

[AndreiRailean]

@toolmantim we added ‪support@dependabot.com‬ and it didn't auto-accept

[toolmantim]

@AndreiRailean does your org use SSO? If so, you'll need to make sure you select "SSO Optional" for the user. If not, email support@buildkite.com and I can investigate for you.

[AndreiRailean]

thanks @toolmantim. no, our org doesn't use SSO. email sent.

[stiak]

We had successfully invited ‪support@dependabot.com to our org, but now dependabot seems to use dependabot-preview[bot]@users.noreply.github.com for us now. Any tips on how to update it?

EDIT: Fixed by buildkite! 🎉

[Tariqchandio01]

Hellp me create github command