Rebuilds fail with interpolation error

Hi all,

In my pipeline, I’m using encrypted environment variables to set secrets that can only be decrypted by the agents. That’s been working just fine, but since a couple of weeks/months I’ve been having issues with rebuilds. Yes, initial builds work perfectly fine, but as soon as I click the Rebuild button in the Buildkite UI I get the following error:

FATAL Couldn’t upload the “pipeline.yml” pipeline. Refusing to upload pipeline containing the value interpolated from the “SECRET_CODECOV_TOKEN” environment variable. Ensure your pipeline does not include secret values or interpolated secret values.
Error: The command exited with status 1

But I’m not actually interpolating this value? Even if I were, that’s perfectly fine, so I don’t get why it started failing because of that (only during rebuilds, at that).

An example of such a build: https://buildkite.com/julialang/cuda-dot-jl/builds/2866#e2fdf1e2-dcb2-4a94-9673-6ba3f9a56c3e. If I force-pushed instead, the build just kicked of normally: https://buildkite.com/julialang/cuda-dot-jl/builds/2867. I’d say this looks like a Buildkite bug, or am I doing something wrong?

Hey @maleadt!

Which agent version are you using? We introduced a change on agent v.3.34.0 so that the buildkite-agent pipeline upload command would reject any pipeline yaml that had sensitive values in it.
We consider this a great security feature, but unfortunately, it’s a breaking change, and we accidentally shipped it as part of a minor release.

We fixed it on v.3.34.1.

Hope this helps!

Best,

Ah yes, we’re using v3.34.0. I’ll try upgrading.
Although I get that this is a useful security feature, the fact that it only happens when rebuilding does seem to imply it’s slightly buggy (apart from the breaking part)?