Pipeline profiles

Pipeline profiles define permission sets that pipelines can request for their own repository. Unlike organization profiles, pipeline profiles do not specify repositories; tokens are always scoped to the requesting pipeline’s associated repository.

Pipeline profile structure

pipeline:
  defaults:
    permissions: ["contents:read", "pull_requests:read"]
  profiles:
    - name: "pr-commenter"
      match: # Optional claim matching
        - claim: "pipeline_slug"
          valuePattern: ".*"
      permissions: ["contents:read", "pull_requests:write"]

Fields

`pipeline`

Root element for pipeline profile configuration.

`defaults`

Default permissions applied to all pipeline token requests when no profile is specified. Requests to /token or /git-credentials (without a profile name) receive these permissions.

`permissions`

List of GitHub permissions. See the GitHub documentation for tokens for available permission values.

`profiles`

A list of named pipeline profiles available for pipelines to request.

`name`

Profile identifier used in API requests. The name default is reserved and cannot be used for a custom profile.

`match`

(optional)

Claim matching rules that restrict which pipelines can use this profile. Omit this field entirely to make the profile available to all pipelines.

See the profile matching reference for complete details on:

Match rule syntax (exact vs regex matching)
Available claims
Pattern examples
Troubleshooting

`permissions`

GitHub permissions granted by this profile.

Example

pipeline:
  defaults:
    permissions: ["contents:read"]

  profiles:
    # Allow any pipeline to comment on PRs
    - name: "pr-commenter"
      permissions: ["contents:read", "pull_requests:write"]

    # Only main branch can publish releases
    - name: "release-publisher"
      match:
        - claim: build_branch
          value: "main"
      permissions: ["contents:write"]

    # Restricted to specific pipelines
    - name: "deployment"
      match:
        - claim: pipeline_slug
          valuePattern: ".*-prod"
        - claim: build_branch
          value: "main"
      permissions: ["contents:write", "deployments:write"]

Accessing pipeline profiles

Pipeline profiles are requested via:

/token/{profile} for JSON token responses
/git-credentials/{profile} for Git credential helper format

The special profile name default accesses pipeline.defaults permissions.

From Buildkite plugins

The Chinmina Token plugin and Chinmina Git Credentials plugin use the pipeline: prefix to identify pipeline profiles:

environment:
  - GITHUB_TOKEN=pipeline:default       # pipeline defaults
  - PR_TOKEN=pipeline:pr-commenter      # named pipeline profile

The plugins translate these to appropriate API paths (/token/default, /token/pr-commenter).