I tried to find matches online or in GitHub for this message, but couldn’t find anything at all.
Can someone explain the precise conditions/rules that trigger this error message on triggered pipelines? I think I understand the specific problem that triggered it for the error I encountered…
…but I’d like to make sure I have a full understanding of the underlying rule before I try to turn this into practical advice for the engineering department.
(Also, it’d be nice if this message was actually covered somewhere in the documentation!)
If you have Teams enabled in your organization, the authoring user must also have:
‘Build’ permission on every pipeline that will be triggered
So, I guess my question is:
Should I believe the documentation for the Trigger Step? (i.e. user must have Build permission everywhere, but that can be through a variety of different teams for different pipelines) … or…
The literal error message which suggests that there must be a team in common between triggering/triggered pipelines?
Hi @jerry! Sorry this stuff has been a difficult one for us to get right.
When you trigger a build from one pipeline to another pipeline and you’re using teams on Buildkite, we need to make sure that the build has permission to do so.
When the build is created by a clear Buildkite user we can use their permissions to check, i.e. is the user a member of a team which allows them to “build” the target pipeline.
When there is no clear creator, like a build triggered by a webhook with a git author that does not match a Buildkite user, we also want to enable builds to be triggered if it seems sensible. So we look at which teams the source pipeline is in, and which teams that the target pipeline is in, and if they share a team which can “build” then we allow the trigger. The source pipeline can essentially “build” the target pipeline, as it could if there was a creator in that team who could build.
The only exception to permissions between pipelines is that a public pipeline may never trigger a build in a private pipeline without a clear build creator.
Does that make sense? Sorry it’s not documented somewhere! I’ll see what we can do about that.
So, TL;DR – if we make sure that all our GitHub users have Buildkite user accounts as well, then I should normally expect the “matching team” not to be a constraint.
However, for any pipelines that get triggered on a schedule (no user involved) or some other means (API / webhook) without a user associated, I could still see the “Teams” constraint applying?
If that’s all the case, then I think I know enough not to bump into sharp edges.
So, TL;DR – if we make sure that all our GitHub users have Buildkite user accounts as well, then I should normally expect the “matching team” not to be a constraint.
