adikari/monorepo-diff-buildkite-plugin

Cannot define downstream pipelines with multiple different plugins

Opened this issue · 0 comments

Hello folks,

Thank you for this great plugin. We have a use case where we are using this plugin to trigger downstream pipelines, however, we also need one or some of the downstream pipelines to use another plugin, for example to retrieve secrets from AWS secrets manager.

At first, we worked around it by having the aws plugin listed before the monorepo-diff plugin, store the secret in an environment variable that can then be passed to monorepo-diff, which in turn would use it in downstream pipelines. The following works, however, it exposes the retrieved secrets into buildkite runner's environment tab in the pipeline job since monorepo-diff is creating the job with an environment variable.

    plugins:
      - seek-oss/aws-sm#v2.3.1:
          env:
            SECRET_ENV_VAR:
              secret-id: "secret/id"
              json-key:  ".json_key"
      - monebag/monorepo-diff#v2.5.8:
          diff: "./scripts/ci/changed_files.sh"
          env: 
            - SECRET_ENV_VAR
          watch:
            - path:
                - "foo/**"
              config:
                label: "Docker images"
                key: "docker-images"
               ...

Therefore we need a feature that can allow for being able to specify plugins per each of the downstream jobs, something like this:

    plugins:
      - monebag/monorepo-diff#v2.5.8:
          diff: "./scripts/ci/changed_files.sh"
          watch:
            - path:
                - "foo/**"
              config:
                label: "Docker images"
                key: "docker-images"
               ...
                plugins:
                  - seek-oss/aws-sm#v2.3.1:
                      env:
                        SECRET_ENV_VAR:
                          secret-id: "secret/id"
                          json-key:  ".json_key"

I tested a quick fix and this does seem to do the trick and keep the secrets from being exposed. I'm happy to provide the contributing PR to add this