Support public Buildkite pipelines in pr-buildkite-detective

[Copilot]

This PR updates pr-buildkite-detective to support public Buildkite pipelines when BUILDKITE_API_TOKEN is not configured, while preserving the existing Buildkite MCP flow when a token is available.

Changes

• Made BUILDKITE_API_TOKEN optional (required: false) in .github/workflows/gh-aw-pr-buildkite-detective.md.
• Added buildkite.com to the workflow network allowlist so public Buildkite pages can be fetched.
• Added a Resolve event context step that normalizes event data into BK_EVENT_* environment variables, and switched prompt context to those variables.
• Split Step 2 into:
  • 2a (token available): existing Buildkite MCP path.
  • 2b (no token / MCP unavailable): discover Buildkite URLs from PR status/check target_url, fetch the public build page, identify failed jobs, then fetch job logs.
• Updated workflow docs/examples to clarify BUILDKITE_API_TOKEN is optional for public pipelines.

Public fallback flow (Step 2b)

pull_request_read(get_status)
  -> find buildkite.com target_url
  -> web-fetch build page
  -> identify failed jobs
  -> web-fetch /jobs/(job-uuid)/log
  -> extract errors / stack traces / final output

Validation

• make lint passes.
• make compile passes.

Fixes #423

Generated by Update PR Body for issue #427

[v1v]

LGTM

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

📥 Commits

Reviewing files that changed from the base of the PR and between 0db60fe and 66c8a88.

📒 Files selected for processing (2)

• .github/workflows/gh-aw-pr-buildkite-detective.lock.yml
• .github/workflows/gh-aw-pr-buildkite-detective.md

 ____________________________________________________________________________________________________________________________________
< Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with. >
 ------------------------------------------------------------------------------------------------------------------------------------
  \
   \   (\__/)
       (•ㅅ•)
       / 　 づ

_{✏️ Tip: You can disable in-progress messages and the fortune message in your review settings.}

📝 Walkthrough

Walkthrough

The PR modifies the Buildkite Detective workflow to make the BUILDKITE_API_TOKEN optional, enabling a fallback mechanism that accesses public Buildkite pages when the API token is unavailable. Changes include workflow configuration updates, documentation revisions, and network destination allowlist expansion.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/gh-aw-pr-buildkite-detective.md	Makes BUILDKITE_API_TOKEN optional (required: false), extends allowed network destinations to include buildkite.com, and replaces single Buildkite step with dual-path approach: Step 2a uses Buildkite MCP when token is available; Step 2b falls back to public Buildkite pages for log retrieval when token is absent.
Documentation & Examples .github/workflows/trigger-pr-buildkite-detective.yml, gh-agent-workflows/pr-buildkite-detective/README.md, gh-agent-workflows/pr-buildkite-detective/example.yml	Adds inline comments and updates Required Secrets section to clarify that BUILDKITE_API_TOKEN is optional for public pipelines, with logs fetched from public build pages as fallback.

Sequence Diagram

sequenceDiagram
    actor GHA as GitHub Action
    participant Chk as Token Check
    participant MCP as Buildkite MCP API
    participant Pub as Buildkite Public Pages
    
    GHA->>Chk: Check BUILDKITE_API_TOKEN
    alt Token Available
        Chk-->>GHA: Token present
        GHA->>MCP: Request build & job logs via MCP
        MCP-->>GHA: Return logs (detailed)
    else Token Unavailable
        Chk-->>GHA: Token absent
        GHA->>Pub: Discover & fetch public build page
        Pub-->>GHA: Return HTML
        GHA->>Pub: Parse & extract logs
        Pub-->>GHA: Return logs (public)
    end
    GHA-->>GHA: Process logs

Loading

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly Related PRs

• Add PR Buildkite detective workflow #246: Directly conflicts with this PR on BUILDKITE_API_TOKEN handling and Buildkite access approach across the same workflow files.

Suggested Reviewers

• github-actions

Poem

🐰 A token optional, a path that's new,
When secrets are absent, the rabbit knows what to do—
Public pages gleam where APIs once shone,
Fallback paths flow, no token, no moan! 📜✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: enabling support for public Buildkite pipelines by making the API token optional and adding a fallback mechanism.
Linked Issues check	✅ Passed	The PR fully addresses issue #423 requirements: making BUILDKITE_API_TOKEN optional, discovering Buildkite URLs from PR commit statuses, fetching logs from public pages via web-fetch, and implementing generic discovery/fetch logic without relying on private API access.
Out of Scope Changes check	✅ Passed	All changes are directly related to supporting public Buildkite pipelines: workflow configuration updates, allowlist additions, fallback step implementation, and documentation/example updates. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/support-public-buildkite-logs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

[HIGH] Runtime workflow artifact is not regenerated

This change makes BUILDKITE_API_TOKEN optional in the source .md, but the compiled workflow used at runtime still requires it (.github/workflows/gh-aw-pr-buildkite-detective.lock.yml:87-89 still has required: true). The same lock file also still lacks buildkite.com in its allowlist (allowed_domains at line 603), so the new public fallback cannot actually run when triggered via trigger-pr-buildkite-detective.yml (which calls the lock file).

Please regenerate and commit the corresponding .lock.yml artifact so the behavior change is effective.

[strawgate]

/ai please address pr feedback

[github-actions]

I investigated the requested PR feedback and confirmed the blocker is in .github/workflows/gh-aw-pr-buildkite-detective.lock.yml: BUILDKITE_API_TOKEN is still required: true (lines 87-88) and buildkite.com is still missing from allowed_domains (line 603), so the public fallback is not active at runtime.

I cannot push a fix from this run because workflow-file edits under .github/workflows/ are restricted in this environment. Please regenerate and commit the lock artifact (or manually apply those two updates in the lock file) so it matches the updated source .md workflow.

---

What is this? | From workflow: Mention in PR

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.