I’d like a way to enforce the pipeline execution for each step.
Say I have a public repo with 3rd party forks contributing to the source. Currently, with the Build pull requests from third-party forked repositories option enabled, anyone has unfettered
access to change the
.buildkite/ files and create a pull request to run said changes on any buildkite agent.
I’d like a way to limit this by having a pipeline setting, likely under Build pull requests from third-party forked repositories, that points to the
.buildkite/ directory of a specified protected branch/ref or the base branch of the triggered PR. This way the pipeline upload and the steps are running only protected code.
But open to ideas or suggestions on how to achieve this currently.