BuildKite agent repo doesn't let contributors view CI runs or run CI jobs w/o approval

[artem-zinnatullin]

Hi BuildKite team,

I'm contributing something to the agent #1878 and there are two issues from contributor perspective:

1. I can't view CI runs on the repo, it says "You must log in to see this page", but this is an open source project and arguably anyone should be able to view CI logs, like they're in for example Bazel repo with BuildKite CI
2. CI jobs are not running on my newly created PR, perhaps you need to approve my user first to allow CI runs on my PRs which is again not really expected on properly configured open source projects, just split the jobs with credentials injected into separate ones that can only run on your own branches.

I find it very much ironic that CI company doesn't have these things properly configured w/ their own CI system on their own open source repo instead of being a goto place of a perfectly configured reference setup w/ best experience for the users 😅

[moskyb]

hi @artem-zinnatullin!

the TL;DR here is that both of these are conscious choices on our end, but that making the agent pipeline publicly viewable is something that we're working towards. for the moment, we don't have any plans to automatically start CI runs on forked repos, however.

To go into a bit more detail:

I can't view CI runs on the repo

as i've said above, this is a choice that we've made, though looking at changing it. at the moment, the agent pipeline has some secret stuff in it that's not fit for human consumption, and we need to carefully go over the build logs to ensure that we're not accidentally leaking anything secret to the public. we'd love to get to this soon, but there's other stuff ahead of this in the queue, and we're not sure when we'll get to it.

CI jobs are not running on my newly created PR

first off, thank you for your PR! it'll make the logs significantly more useful.

this too is a choice that we've made, though not one that we're super likely to revisit in the near future.

the reality here is that people do stupid stuff with open-source CI pipelines all the time - install bitcoin miners, try to steal secrets, all that good stuff. given the throughput of open-source contributions to this repo (2-3 PRs from non-Buildkite staff in a good week?), our time is better spent reviewing opensource contributions (something we do anyway) before we run the CI for them.

the alternative would be to pretty heavily rewrite our CI pipeline, to try to prevent people from doing stupid and/or malicious things, which would be really difficult. determined people can do all sorts of interesting and bad things that we might not predict, so for the forseeable future we're going to stick with manual review and CI kickoff.