Hi @jerry! Sorry this stuff has been a difficult one for us to get right.
When you trigger a build from one pipeline to another pipeline and you’re using teams on Buildkite, we need to make sure that the build has permission to do so.
When the build is created by a clear Buildkite user we can use their permissions to check, i.e. is the user a member of a team which allows them to “build” the target pipeline.
When there is no clear creator, like a build triggered by a webhook with a git author that does not match a Buildkite user, we also want to enable builds to be triggered if it seems sensible. So we look at which teams the source pipeline is in, and which teams that the target pipeline is in, and if they share a team which can “build” then we allow the trigger. The source pipeline can essentially “build” the target pipeline, as it could if there was a creator in that team who could build.
The only exception to permissions between pipelines is that a public pipeline may never trigger a build in a private pipeline without a clear build creator.
Does that make sense? Sorry it’s not documented somewhere! I’ll see what we can do about that.