Organization profiles
An organization profile defines sets of repository access and permissions available to all agents associated with the Buildkite organization.
The location of the organizational profile is configured via the
GITHUB_ORG_PROFILE
environment variable.
Profile-related tokens are requested via separate URL paths. Tokens will not be vended on these paths unless configuration is present.
Profiles are useful for a variety of use cases where low-risk access is required by a wide set of repositories. For example:
- Accessing private packages or releases
- Loading Buildkite plugins from private repositories
- Cloning or reading multiple private repositories within a pipeline
Organization profile structure
Section titled “Organization profile structure”The organization profile is provided as a YAML file with structure as follows:
organization: profiles: - name: "<profile-name>" repositories: - "<repository-name>" permissions: ["<permission>"]Fields
Section titled “Fields”organization
Section titled “organization”The root element that contains all organization-related configurations.
profiles
Section titled “profiles”A list of profiles within the organization. Each profile must contain:
The name of the profile. This should be a unique identifier for the profile.
repositories
Section titled “repositories”A list of repositories that the profile has access to. This list includes only the repository name and does not include the owner or organization name.
permissions
Section titled “permissions”A list of permissions granted to the profile. See the GitHub documentation for tokens for available permission values.
Example
Section titled “Example”organization: profiles: # allow read access to a set of buildkite-plugins - name: "buildkite-plugin" # array of repos accessible to the profile repositories: - somewhat-private-buildkite-plugin - very-private-buildkite-plugin permissions: ["contents:read"]
# allow package access to any repository - name: "package-registry" # '*' indicates all, when specified must be only value. No other wildcards supported. repositories: ["*"] permissions: ["packages:read"]