buildkite
diff --git a/‎.buildkite/pipeline.deploy.yml‎
Lines changed: 16 additions & 6 deletions b/‎.buildkite/pipeline.deploy.yml‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎data/content/agent_attributes.yaml‎
Lines changed: 14 additions & 8 deletions b/‎data/content/agent_attributes.yaml‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎data/graphql/schema.graphql‎
Lines changed: 70 additions & 7 deletions b/‎data/graphql/schema.graphql‎
Lines changed: 70 additions & 7 deletions
diff --git a/‎data/nav_graphql.yml‎
Lines changed: 4 additions & 0 deletions b/‎data/nav_graphql.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pages/agent/v3/cli_oidc.md‎
Lines changed: 1 addition & 1 deletion b/‎pages/agent/v3/cli_oidc.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pages/agent/v3/help/_annotate.md‎
Lines changed: 2 additions & 2 deletions b/‎pages/agent/v3/help/_annotate.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pages/agent/v3/help/_bootstrap.md‎
Lines changed: 1 addition & 0 deletions b/‎pages/agent/v3/help/_bootstrap.md‎
Lines changed: 1 addition & 0 deletions
@@ -6,18 +6,22 @@ steps:
     if: |
       build.branch == "main"
     agents:
-      queue: deploy
+      queue: elastic-runners
     plugins:
-      ecr#v2.7.0:
-        login: true
-        account-ids: ${ECR_ACCOUNT_ID}
+      - aws-assume-role-with-web-identity#v1.0.0:
+          role-arn: arn:aws:iam::${ECR_ACCOUNT_ID}:role/pipeline-buildkite-docs-main
+      - ecr#v2.7.0:
+          login: true
+          account-ids: ${ECR_ACCOUNT_ID}
 
   - name: ":ecr: ECR Vulnerabilities Scan"
     command: "true"
     agents:
-      queue: deploy
+      queue: elastic-runners
     depends_on: "ecr-push"
     plugins:
+      - aws-assume-role-with-web-identity#v1.0.0:
+          role-arn: arn:aws:iam::${ECR_ACCOUNT_ID}:role/pipeline-buildkite-docs-main
       - buildkite/ecr-scan-results#v1.2.0:
           image-name: "${ECR_REPO}:${BUILDKITE_BUILD_NUMBER}"
           ignore:
@@ -38,6 +42,9 @@ steps:
             - CVE-2023-5678  # openssl 3.0.11-1~deb12u1
             - CVE-2023-50495 # ncurses 6.4-4
             - CVE-2024-0567 # gnutls28 3.7.9-2+deb12u1
+            - CVE-2023-50387 # systemd 252.17-1~deb12u1
+            - CVE-2024-0553 # gnutls28 3.7.9-2
+            - CVE-2024-0567 # gnutls28 3.7.9-2+deb12u1
 
   # If the current user is part of the deploy team, then wait for everything to
   # finish before deploying
@@ -61,8 +68,11 @@ steps:
     concurrency: 1
     concurrency_group: docs-deploy
     agents:
-      queue: deploy
+      queue: elastic-runners
     command: scripts/deploy-ecs
+    plugins:
+      - aws-assume-role-with-web-identity#v1.0.0:
+          role-arn: arn:aws:iam::${ECR_ACCOUNT_ID}:role/pipeline-buildkite-docs-main
 
   - wait
 
 
@@ -4,19 +4,25 @@ attributes:
   default_value: None
   required: true
   desc: |
-      The agent registration token from your organization’s _Agents_ page, used only to register new agents. To get your token, log in to Buildkite, navigate to _Agents_, then select _Reveal Agent Token_.
-- name: bootstrap-script
-  env_var: BUILDKITE_BOOTSTRAP_SCRIPT_PATH
-  default_value: "buildkite-agent bootstrap"
-  required: false
-  desc: |
-      Command to invoke the bootstrap process.
+      The agent registration token from your organization's _Agents_ page, used only to register new agents. To get your token, log in to Buildkite, navigate to _Agents_, then select _Reveal Agent Token_.
 - name: build-path
   env_var: BUILDKITE_BUILD_PATH
   default_value: "(depends on platform)"
   required: true
   desc: |
       Path to where the builds will run from.
+- name: allowed-repositories
+  env_var: BUILDKITE_ALLOWED_REPOSITORIES
+  default_value: ""
+  required: false
+  desc: |
+      A comma-separated list of regular expressions representing repositories the agent is allowed to clone (for example, `^git@github.com:buildkite/.\*` or `^https://github.com/buildkite/.*`)
+- name: bootstrap-script
+  env_var: BUILDKITE_BOOTSTRAP_SCRIPT_PATH
+  default_value: "buildkite-agent bootstrap"
+  required: false
+  desc: |
+      Command to invoke the bootstrap process.
 - name: cancel-grace-period
   env_var: BUILDKITE_CANCEL_GRACE_PERIOD
   default_value: "10"
@@ -204,7 +210,7 @@ attributes:
   desc: |
       Do not allow this agent to run arbitrary console commands.
 - name: no-git-submodules
-  env_var: BUILDKITE_NO_GIT_SUBMODULES, BUILDKIT_DISABLE_GIT_SUBMODULES
+  env_var: BUILDKITE_NO_GIT_SUBMODULES, BUILDKITE_DISABLE_GIT_SUBMODULES
   default_value: "false"
   required: false
   desc: |
 
@@ -721,12 +721,13 @@ type AuditActor {
 """
 Kinds of actors which can perform audit events
 """
-union AuditActorNode = User
+union AuditActorNode = Agent | User
 
 """
 All the possible types of actors in an Audit Event
 """
 enum AuditActorType {
+  AGENT
   USER
 }
 
@@ -845,6 +846,11 @@ enum AuditEventType {
   SCM_SERVICE_CREATED
   SCM_SERVICE_DELETED
   SCM_SERVICE_UPDATED
+  SECRET_CREATED
+  SECRET_DELETED
+  SECRET_QUERIED
+  SECRET_READ
+  SECRET_UPDATED
   SSO_PROVIDER_CREATED
   SSO_PROVIDER_DELETED
   SSO_PROVIDER_DISABLED
@@ -919,7 +925,7 @@ type AuditSubject {
 """
 Kinds of subjects which can have audit events performed on them
 """
-union AuditSubjectNode = APIAccessToken | AgentToken | AuthorizationBitbucket | AuthorizationGitHub | AuthorizationGitHubEnterprise | Cluster | ClusterPermission | ClusterQueue | ClusterQueueToken | ClusterToken | Email | NotificationServiceSlack | NotificationServiceWebhook | Organization | OrganizationBanner | OrganizationInvitation | OrganizationMember | Pipeline | PipelineSchedule | PipelineTemplate | SCMPipelineSettings | SCMRepositoryHost | SCMService | SSOProviderGitHubApp | SSOProviderGoogleGSuite | SSOProviderSAML | Subscription | Suite | TOTP | Team | TeamMember | TeamPipeline | TeamSuite | User
+union AuditSubjectNode = APIAccessToken | AgentToken | AuthorizationBitbucket | AuthorizationGitHub | AuthorizationGitHubEnterprise | Cluster | ClusterPermission | ClusterQueue | ClusterQueueToken | ClusterToken | Email | NotificationServiceSlack | NotificationServiceWebhook | Organization | OrganizationBanner | OrganizationInvitation | OrganizationMember | Pipeline | PipelineSchedule | PipelineTemplate | SCMPipelineSettings | SCMRepositoryHost | SCMService | SSOProviderGitHubApp | SSOProviderGoogleGSuite | SSOProviderSAML | Secret | Subscription | Suite | TOTP | Team | TeamMember | TeamPipeline | TeamSuite | User
 
 """
 All the possible types of subjects in an Audit Event
@@ -944,6 +950,7 @@ enum AuditSubjectType {
   SCM_PIPELINE_SETTINGS
   SCM_REPOSITORY_HOST
   SCM_SERVICE
+  SECRET
   SSO_PROVIDER
   SUBSCRIPTION
   SUITE
@@ -3824,7 +3831,7 @@ type Mutation {
   ): AgentStopPayload
 
   """
-  Create a new unclustered agent token.
+  Create a new agent registration token.
   """
   agentTokenCreate(
     """
@@ -3834,7 +3841,7 @@ type Mutation {
   ): AgentTokenCreatePayload
 
   """
-  Revoke an unclustered agent token.
+  Revoke an agent registration token.
   """
   agentTokenRevoke(
     """
@@ -3895,7 +3902,7 @@ type Mutation {
   ): BuildRebuildPayload
 
   """
-  Create a new agent token for a cluster.
+  Create a new cluster agent token
   """
   clusterAgentTokenCreate(
     """
@@ -3905,7 +3912,7 @@ type Mutation {
   ): ClusterAgentTokenCreatePayload
 
   """
-  Revokes an agent token for a cluster.
+  Revokes a cluster agent token
   """
   clusterAgentTokenRevoke(
     """
@@ -3915,7 +3922,7 @@ type Mutation {
   ): ClusterAgentTokenRevokePayload
 
   """
-  Updates an agent token for a cluster.
+  Updates a cluster agent token
   """
   clusterAgentTokenUpdate(
     """
@@ -7735,6 +7742,16 @@ type Query {
     uuid: ID!
   ): PipelineTemplate
 
+  """
+  Find a secret via its uuid. This does not contain the value of the secret or encrypted material.
+  """
+  secret(
+    """
+    The UUID for the secret i.e. `0bd5ea7c-89b3-4f40-8ca3-ffac805771eb`
+    """
+    uuid: ID!
+  ): Secret
+
   """
   Find an sso provider either using it's slug, or UUID
   """
@@ -8919,6 +8936,52 @@ type SSOProviderUpdatePayload {
   ssoProvider: SSOProvider!
 }
 
+"""
+A secret hosted by Buildkite. This does not contain the secret value or encrypted material.
+"""
+type Secret implements Node {
+  """
+  The cluster that the secret belongs to
+  """
+  cluster: Cluster
+
+  """
+  The time this secret was created
+  """
+  createdAt: DateTime
+
+  """
+  A description about what this secret is used for
+  """
+  description: String
+
+  """
+  The time this secret was destroyed
+  """
+  destroyedAt: DateTime
+  id: ID!
+
+  """
+  The key value used to name the secret
+  """
+  key: String!
+
+  """
+  The organization that the secret belongs to
+  """
+  organization: Organization!
+
+  """
+  The time this secret was updated
+  """
+  updatedAt: DateTime
+
+  """
+  The public UUID for the secret
+  """
+  uuid: ID!
+}
+
 interface Step {
   """
   The conditional evaluated for this step
 
@@ -59,6 +59,8 @@
     path: apis/graphql/schemas/query/pipelineschedule
   - name: pipelineTemplate
     path: apis/graphql/schemas/query/pipelinetemplate
+  - name: secret
+    path: apis/graphql/schemas/query/secret
   - name: ssoProvider
     path: apis/graphql/schemas/query/ssoprovider
   - name: team
@@ -671,6 +673,8 @@
     path: apis/graphql/schemas/object/ssoprovidersamlsptype
   - name: SSOProviderUpdatePayload
     path: apis/graphql/schemas/object/ssoproviderupdatepayload
+  - name: Secret
+    path: apis/graphql/schemas/object/secret
   - name: StepCommand
     path: apis/graphql/schemas/object/stepcommand
   - name: StepInput
 
@@ -45,7 +45,7 @@ For specific endpoints for OpenID or JWKS, use:
         commit:BUILD_COMMIT:step:STEP_KEY</code>. </p>
       <p>If the build has a tag, <code>REF</code> is <code>refs/tags/TAG</code>.</p>
       <p>Otherwise, <code>REF</code> is <code>refs/heads/BRANCH</code>.</p>
-      <p><em>Example:</em><code>organization:acme-inc:pipeline:super-duper-app:             ref:refs/heads/main:commit:9f3182061f1e2cca4702c368cbc039b7dc9d4485:step:build</code></p>
+      <p><em>Example:</em><code>organization:acme-inc:pipeline:super-duper-app:ref:refs/heads/main:commit:9f3182061f1e2cca4702c368cbc039b7dc9d4485:step:build</code></p>
     </td>
   </tr>
    <tr>
 
@@ -30,7 +30,7 @@ Annotations are written in CommonMark-compliant Markdown, with &quot;GitHub
 Flavored Markdown&quot; extensions.
 
 The annotation body can be supplied as a command line argument, or by piping
-content into the command. Custom Buildkite [emojis](/docs/pipelines/emojis) are supported. The maximum size of each annotation body is 1MiB.
+content into the command. The maximum size of each annotation body is 1MiB.
 
 You can update an existing annotation&#39;s body by running the annotate command
 again and provide the same context as the one you want to update. Or if you
@@ -46,7 +46,6 @@ $ buildkite-agent annotate "All tests passed! :rocket:"
 $ cat annotation.md | buildkite-agent annotate --style "warning"
 $ buildkite-agent annotate --style "success" --context "junit"
 $ ./script/dynamic_annotation_generator | buildkite-agent annotate --style "success"
-$ buildkite-agent annotate ":one-does-not-simply: Green builds are coming." --style "success"
 ```
 
 ### Options
@@ -57,6 +56,7 @@ $ buildkite-agent annotate ":one-does-not-simply: Green builds are coming." --st
 <tr id="context"><th><code>--context value</code> <a class="Docs__attribute__link" href="#context">#</a></th><td><p>The context of the annotation used to differentiate this annotation from others<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_CONTEXT</code></p></td></tr>
 <tr id="style"><th><code>--style value</code> <a class="Docs__attribute__link" href="#style">#</a></th><td><p>The style of the annotation (`success`, `info`, `warning` or `error`)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_STYLE</code></p></td></tr>
 <tr id="append"><th><code>--append </code> <a class="Docs__attribute__link" href="#append">#</a></th><td><p>Append to the body of an existing annotation<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_APPEND</code></p></td></tr>
+<tr id="priority"><th><code>--priority value</code> <a class="Docs__attribute__link" href="#priority">#</a></th><td><p>Priority of the annotation (1 to 10). By default annotations have a priority of 3. Annotations with a priority of 10 will be shown first, and annotations with a priority of 1 will be shown last. (default: 0)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_PRIORITY</code></p></td></tr>
 <tr id="job"><th><code>--job value</code> <a class="Docs__attribute__link" href="#job">#</a></th><td><p>Which job should the annotation come from<br /><strong>Environment variable</strong>: <code>$BUILDKITE_JOB_ID</code></p></td></tr>
 <tr id="agent-access-token"><th><code>--agent-access-token value</code> <a class="Docs__attribute__link" href="#agent-access-token">#</a></th><td><p>The access token used to identify the agent<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_ACCESS_TOKEN</code></p></td></tr>
 <tr id="endpoint"><th><code>--endpoint value</code> <a class="Docs__attribute__link" href="#endpoint">#</a></th><td><p>The Agent API endpoint (default: "<code>https://agent.buildkite.com/v3</code>")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_ENDPOINT</code></p></td></tr>
 
@@ -93,6 +93,7 @@ $ buildkite-agent bootstrap --build-path builds
 <tr id="redacted-vars"><th><code>--redacted-vars value</code> <a class="Docs__attribute__link" href="#redacted-vars">#</a></th><td><p>Pattern of environment variable names containing sensitive values<br /><strong>Environment variable</strong>: <code>$BUILDKITE_REDACTED_VARS</code></p></td></tr>
 <tr id="tracing-backend"><th><code>--tracing-backend value</code> <a class="Docs__attribute__link" href="#tracing-backend">#</a></th><td><p>The name of the tracing backend to use.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_TRACING_BACKEND</code></p></td></tr>
 <tr id="tracing-service-name"><th><code>--tracing-service-name value</code> <a class="Docs__attribute__link" href="#tracing-service-name">#</a></th><td><p>Service name to use when reporting traces. (default: "buildkite-agent")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_TRACING_SERVICE_NAME</code></p></td></tr>
+<tr id="no-job-api"><th><code>--no-job-api </code> <a class="Docs__attribute__link" href="#no-job-api">#</a></th><td><p>Disables the Job API, which gives commands in jobs some abilities to introspect and mutate the state of the job.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_NO_JOB_API</code></p></td></tr>
 <tr id="debug"><th><code>--debug </code> <a class="Docs__attribute__link" href="#debug">#</a></th><td><p>Enable debug mode. Synonym for `--log-level debug`. Takes precedence over `--log-level`<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_DEBUG</code></p></td></tr>
 <tr id="log-level"><th><code>--log-level value</code> <a class="Docs__attribute__link" href="#log-level">#</a></th><td><p>Set the log level for the agent, making logging more or less verbose. Defaults to notice. Allowed values are: debug, info, error, warn, fatal (default: "notice")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_LOG_LEVEL</code></p></td></tr>
 <tr id="experiment"><th><code>--experiment value</code> <a class="Docs__attribute__link" href="#experiment">#</a></th><td><p>Enable experimental features within the buildkite-agent<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_EXPERIMENT</code></p></td></tr>