buildkite · gilesgas · Sep 11, 2024 · Sep 6, 2024
@@ -56,7 +56,7 @@ $ ./script/dynamic_annotation_generator | buildkite-agent annotate --style "succ
 <tr id="context"><th><code>--context value</code> <a class="Docs__attribute__link" href="#context">#</a></th><td><p>The context of the annotation used to differentiate this annotation from others<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_CONTEXT</code></p></td></tr>
 <tr id="style"><th><code>--style value</code> <a class="Docs__attribute__link" href="#style">#</a></th><td><p>The style of the annotation (`success`, `info`, `warning` or `error`)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_STYLE</code></p></td></tr>
 <tr id="append"><th><code>--append </code> <a class="Docs__attribute__link" href="#append">#</a></th><td><p>Append to the body of an existing annotation<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_APPEND</code></p></td></tr>
-<tr id="priority"><th><code>--priority value</code> <a class="Docs__attribute__link" href="#priority">#</a></th><td><p>Priority of the annotation (1 to 10). By default annotations have a priority of 3. Annotations with a priority of 10 will be shown first, and annotations with a priority of 1 will be shown last. (default: 0)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_PRIORITY</code></p></td></tr>
+<tr id="priority"><th><code>--priority value</code> <a class="Docs__attribute__link" href="#priority">#</a></th><td><p>The priority of the annotation (`1` to `10`). Annotations with a priority of `10` are shown first, while annotations with a priority of `1` are shown last. (default: 3)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ANNOTATION_PRIORITY</code></p></td></tr>
 <tr id="job"><th><code>--job value</code> <a class="Docs__attribute__link" href="#job">#</a></th><td><p>Which job should the annotation come from<br /><strong>Environment variable</strong>: <code>$BUILDKITE_JOB_ID</code></p></td></tr>
 <tr id="agent-access-token"><th><code>--agent-access-token value</code> <a class="Docs__attribute__link" href="#agent-access-token">#</a></th><td><p>The access token used to identify the agent<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_ACCESS_TOKEN</code></p></td></tr>
 <tr id="endpoint"><th><code>--endpoint value</code> <a class="Docs__attribute__link" href="#endpoint">#</a></th><td><p>The Agent API endpoint (default: "<code>https://agent.buildkite.com/v3</code>")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_ENDPOINT</code></p></td></tr>

@@ -103,6 +103,7 @@ $ buildkite-agent bootstrap --build-path builds
 <tr id="redacted-vars"><th><code>--redacted-vars value</code> <a class="Docs__attribute__link" href="#redacted-vars">#</a></th><td><p>Pattern of environment variable names containing sensitive values (default: "*_PASSWORD", "*_SECRET", "*_TOKEN", "*_PRIVATE_KEY", "*_ACCESS_KEY", "*_SECRET_KEY", "*_CONNECTION_STRING")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_REDACTED_VARS</code></p></td></tr>
 <tr id="strict-single-hooks"><th><code>--strict-single-hooks </code> <a class="Docs__attribute__link" href="#strict-single-hooks">#</a></th><td><p>Enforces that only one checkout hook, and only one command hook, can be run<br /><strong>Environment variable</strong>: <code>$BUILDKITE_STRICT_SINGLE_HOOKS</code></p></td></tr>
 <tr id="kubernetes-exec"><th><code>--kubernetes-exec </code> <a class="Docs__attribute__link" href="#kubernetes-exec">#</a></th><td><p>This is intended to be used only by the Buildkite k8s stack (github.com/buildkite/agent-stack-k8s); it enables a Unix socket for transporting logs and exit statuses between containers in a pod<br /><strong>Environment variable</strong>: <code>$BUILDKITE_KUBERNETES_EXEC</code></p></td></tr>
+<tr id="trace-context-encoding"><th><code>--trace-context-encoding value</code> <a class="Docs__attribute__link" href="#trace-context-encoding">#</a></th><td><p>Sets the inner encoding for BUILDKITE_TRACE_CONTEXT. Must be either json or gob (default: "gob")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_TRACE_CONTEXT_ENCODING</code></p></td></tr>
 </table>
 
 <!-- vale on -->
@@ -58,6 +58,7 @@ $ ./script/dynamic_step_generator | buildkite-agent pipeline upload
 <tr id="reject-secrets"><th><code>--reject-secrets </code> <a class="Docs__attribute__link" href="#reject-secrets">#</a></th><td><p>When true, fail the pipeline upload early if the pipeline contains secrets<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_PIPELINE_UPLOAD_REJECT_SECRETS</code></p></td></tr>
 <tr id="jwks-file"><th><code>--jwks-file value</code> <a class="Docs__attribute__link" href="#jwks-file">#</a></th><td><p>Path to a file containing a JWKS. Passing this flag enables pipeline signing<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_JWKS_FILE</code></p></td></tr>
 <tr id="jwks-key-id"><th><code>--jwks-key-id value</code> <a class="Docs__attribute__link" href="#jwks-key-id">#</a></th><td><p>The JWKS key ID to use when signing the pipeline. Required when using a JWKS<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_JWKS_KEY_ID</code></p></td></tr>
+<tr id="signing-aws-kms-key"><th><code>--signing-aws-kms-key value</code> <a class="Docs__attribute__link" href="#signing-aws-kms-key">#</a></th><td><p>The AWS KMS key identifier which is used to sign pipelines.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_AWS_KMS_KEY</code></p></td></tr>
 <tr id="debug-signing"><th><code>--debug-signing </code> <a class="Docs__attribute__link" href="#debug-signing">#</a></th><td><p>Enable debug logging for pipeline signing. This can potentially leak secrets to the logs as it prints each step in full before signing. Requires debug logging to be enabled<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_DEBUG_SIGNING</code></p></td></tr>
 <tr id="agent-access-token"><th><code>--agent-access-token value</code> <a class="Docs__attribute__link" href="#agent-access-token">#</a></th><td><p>The access token used to identify the agent<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_ACCESS_TOKEN</code></p></td></tr>
 <tr id="endpoint"><th><code>--endpoint value</code> <a class="Docs__attribute__link" href="#endpoint">#</a></th><td><p>The Agent API endpoint (default: "<code>https://agent.buildkite.com/v3</code>")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_ENDPOINT</code></p></td></tr>

@@ -103,6 +103,7 @@ $ buildkite-agent start --token xxx
 <tr id="verification-jwks-file"><th><code>--verification-jwks-file value</code> <a class="Docs__attribute__link" href="#verification-jwks-file">#</a></th><td><p>Path to a file containing a JSON Web Key Set (JWKS), used to verify job signatures.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_VERIFICATION_JWKS_FILE</code></p></td></tr>
 <tr id="signing-jwks-file"><th><code>--signing-jwks-file value</code> <a class="Docs__attribute__link" href="#signing-jwks-file">#</a></th><td><p>Path to a file containing a signing key. Passing this flag enables pipeline signing for all pipelines uploaded by this agent. For hmac-sha256, the raw file content is used as the shared key<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_SIGNING_JWKS_FILE</code></p></td></tr>
 <tr id="signing-jwks-key-id"><th><code>--signing-jwks-key-id value</code> <a class="Docs__attribute__link" href="#signing-jwks-key-id">#</a></th><td><p>The JWKS key ID to use when signing the pipeline. If omitted, and the signing JWKS contains only one key, that key will be used.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_SIGNING_JWKS_KEY_ID</code></p></td></tr>
+<tr id="signing-aws-kms-key"><th><code>--signing-aws-kms-key value</code> <a class="Docs__attribute__link" href="#signing-aws-kms-key">#</a></th><td><p>The KMS KMS key ID, or key alias used when signing and verifying the pipeline.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_SIGNING_AWS_KMS_KEY</code></p></td></tr>
 <tr id="debug-signing"><th><code>--debug-signing </code> <a class="Docs__attribute__link" href="#debug-signing">#</a></th><td><p>Enable debug logging for pipeline signing. This can potentially leak secrets to the logs as it prints each step in full before signing. Requires debug logging to be enabled<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_DEBUG_SIGNING</code></p></td></tr>
 <tr id="verification-failure-behavior"><th><code>--verification-failure-behavior value</code> <a class="Docs__attribute__link" href="#verification-failure-behavior">#</a></th><td><p>The behavior when a job is received without a signature. One of: [block warn]. Defaults to block (default: "block")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_JOB_VERIFICATION_NO_SIGNATURE_BEHAVIOR</code></p></td></tr>
 <tr id="disable-warnings-for"><th><code>--disable-warnings-for value</code> <a class="Docs__attribute__link" href="#disable-warnings-for">#</a></th><td><p>A list of warning IDs to disable<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_DISABLE_WARNINGS_FOR</code></p></td></tr>
@@ -118,6 +119,7 @@ $ buildkite-agent start --token xxx
 <tr id="redacted-vars"><th><code>--redacted-vars value</code> <a class="Docs__attribute__link" href="#redacted-vars">#</a></th><td><p>Pattern of environment variable names containing sensitive values (default: "*_PASSWORD", "*_SECRET", "*_TOKEN", "*_PRIVATE_KEY", "*_ACCESS_KEY", "*_SECRET_KEY", "*_CONNECTION_STRING")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_REDACTED_VARS</code></p></td></tr>
 <tr id="strict-single-hooks"><th><code>--strict-single-hooks </code> <a class="Docs__attribute__link" href="#strict-single-hooks">#</a></th><td><p>Enforces that only one checkout hook, and only one command hook, can be run<br /><strong>Environment variable</strong>: <code>$BUILDKITE_STRICT_SINGLE_HOOKS</code></p></td></tr>
 <tr id="kubernetes-exec"><th><code>--kubernetes-exec </code> <a class="Docs__attribute__link" href="#kubernetes-exec">#</a></th><td><p>This is intended to be used only by the Buildkite k8s stack (github.com/buildkite/agent-stack-k8s); it enables a Unix socket for transporting logs and exit statuses between containers in a pod<br /><strong>Environment variable</strong>: <code>$BUILDKITE_KUBERNETES_EXEC</code></p></td></tr>
+<tr id="trace-context-encoding"><th><code>--trace-context-encoding value</code> <a class="Docs__attribute__link" href="#trace-context-encoding">#</a></th><td><p>Sets the inner encoding for BUILDKITE_TRACE_CONTEXT. Must be either json or gob (default: "gob")<br /><strong>Environment variable</strong>: <code>$BUILDKITE_TRACE_CONTEXT_ENCODING</code></p></td></tr>
 <tr id="tags-from-ec2"><th><code>--tags-from-ec2 </code> <a class="Docs__attribute__link" href="#tags-from-ec2">#</a></th><td><p>Include the host's EC2 meta-data as tags (instance-id, instance-type, and ami-id)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_TAGS_FROM_EC2</code></p></td></tr>
 <tr id="tags-from-gcp"><th><code>--tags-from-gcp </code> <a class="Docs__attribute__link" href="#tags-from-gcp">#</a></th><td><p>Include the host's Google Cloud instance meta-data as tags (instance-id, machine-type, preemptible, project-id, region, and zone)<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_TAGS_FROM_GCP</code></p></td></tr>
 </table>

@@ -61,6 +61,7 @@ $ cat pipeline.yml | buildkite-agent tool sign \
 <tr id="no-confirm"><th><code>--no-confirm </code> <a class="Docs__attribute__link" href="#no-confirm">#</a></th><td><p>Show confirmation prompts before updating the pipeline with the GraphQL API.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_TOOL_SIGN_NO_CONFIRM</code></p></td></tr>
 <tr id="jwks-file"><th><code>--jwks-file value</code> <a class="Docs__attribute__link" href="#jwks-file">#</a></th><td><p>Path to a file containing a JWKS.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_JWKS_FILE</code></p></td></tr>
 <tr id="jwks-key-id"><th><code>--jwks-key-id value</code> <a class="Docs__attribute__link" href="#jwks-key-id">#</a></th><td><p>The JWKS key ID to use when signing the pipeline. If none is provided and the JWKS file contains only one key, that key will be used.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_JWKS_KEY_ID</code></p></td></tr>
+<tr id="signing-aws-kms-key"><th><code>--signing-aws-kms-key value</code> <a class="Docs__attribute__link" href="#signing-aws-kms-key">#</a></th><td><p>The AWS KMS key identifier which is used to sign pipelines.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_AWS_KMS_KEY</code></p></td></tr>
 <tr id="debug-signing"><th><code>--debug-signing </code> <a class="Docs__attribute__link" href="#debug-signing">#</a></th><td><p>Enable debug logging for pipeline signing. This can potentially leak secrets to the logs as it prints each step in full before signing. Requires debug logging to be enabled<br /><strong>Environment variable</strong>: <code>$BUILDKITE_AGENT_DEBUG_SIGNING</code></p></td></tr>
 <tr id="organization-slug"><th><code>--organization-slug value</code> <a class="Docs__attribute__link" href="#organization-slug">#</a></th><td><p>The organization slug. Required to connect to the GraphQL API.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_ORGANIZATION_SLUG</code></p></td></tr>
 <tr id="pipeline-slug"><th><code>--pipeline-slug value</code> <a class="Docs__attribute__link" href="#pipeline-slug">#</a></th><td><p>The pipeline slug. Required to connect to the GraphQL API.<br /><strong>Environment variable</strong>: <code>$BUILDKITE_PIPELINE_SLUG</code></p></td></tr>