From c94c0a1e36d57602d118199be9955c429a1321ff Mon Sep 17 00:00:00 2001
From: Ian Maia <ian.maia@automattic.com>
Date: Mon, 1 Jul 2024 20:04:48 +0200
Subject: [PATCH 1/3] Use a bot user in a trusted agent for pipelines that
 require git push operations

---
 .buildkite/code-freeze.yml                        |  6 +++---
 .../configure-git-for-release-management.sh       | 15 ++++++++-------
 .buildkite/complete-code-freeze.yml               |  6 +++---
 .buildkite/finalize-release.yml                   |  6 +++---
 .buildkite/new-beta-release.yml                   |  6 +++---
 .buildkite/update-release-notes.yml               |  6 +++---
 6 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/.buildkite/code-freeze.yml b/.buildkite/code-freeze.yml
index 09095a497234..bef42bc2d80f 100644
--- a/.buildkite/code-freeze.yml
+++ b/.buildkite/code-freeze.yml
@@ -1,15 +1,15 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Code Freeze"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
 
       install_gems
 
       bundle exec fastlane code_freeze skip_confirm:true
+    agents:
+       queue: "tumblr-metal"
diff --git a/.buildkite/commands/configure-git-for-release-management.sh b/.buildkite/commands/configure-git-for-release-management.sh
index eb39be490f66..c7c4a7a0821f 100755
--- a/.buildkite/commands/configure-git-for-release-management.sh
+++ b/.buildkite/commands/configure-git-for-release-management.sh
@@ -1,10 +1,11 @@
 #!/bin/bash -eu
 
-# Git command line client is not configured in Buildkite. Temporarily, we configure it in each step.
-# Later on, we should be able to configure the agent instead.
-curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts
-git config --global user.email "mobile+wpmobilebot@automattic.com"
-git config --global user.name "Automattic Release Bot"
+# This script needs to be source'd as use-bot-for-git exports a variable and this needs to be visible outside
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  echo "This script must be 'source'd (instead of being called directly as an executable) to work properly"
+  exit 1
+fi
 
-# Buildkite is currently using the https url to checkout. We need to override it to be able to use the deploy key.
-git remote set-url origin git@github.com:wordpress-mobile/WordPress-Android.git
+echo '--- :robot_face: Use bot for git operations'
+# shellcheck disable=SC1091
+source use-bot-for-git
diff --git a/.buildkite/complete-code-freeze.yml b/.buildkite/complete-code-freeze.yml
index 2b378accabdf..ea813bc1dcb5 100644
--- a/.buildkite/complete-code-freeze.yml
+++ b/.buildkite/complete-code-freeze.yml
@@ -1,16 +1,16 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Complete Code Freeze"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
       .buildkite/commands/checkout-release-branch.sh
 
       install_gems
 
       bundle exec fastlane complete_code_freeze skip_confirm:true
+    agents:
+       queue: "tumblr-metal"
diff --git a/.buildkite/finalize-release.yml b/.buildkite/finalize-release.yml
index 015ba7cd5d78..2fd0869df661 100644
--- a/.buildkite/finalize-release.yml
+++ b/.buildkite/finalize-release.yml
@@ -1,14 +1,12 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Finalize release"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
       .buildkite/commands/checkout-release-branch.sh
 
       install_gems
@@ -16,3 +14,5 @@ steps:
       cp gradle.properties-example gradle.properties
 
       bundle exec fastlane finalize_release skip_confirm:true
+    agents:
+       queue: "tumblr-metal"
diff --git a/.buildkite/new-beta-release.yml b/.buildkite/new-beta-release.yml
index 3c2a9248fc18..4f2b8e441881 100644
--- a/.buildkite/new-beta-release.yml
+++ b/.buildkite/new-beta-release.yml
@@ -1,17 +1,17 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "New Beta Release"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
 
       install_gems
 
       cp gradle.properties-example gradle.properties
 
       bundle exec fastlane new_beta_release skip_confirm:true
+    agents:
+       queue: "tumblr-metal"
diff --git a/.buildkite/update-release-notes.yml b/.buildkite/update-release-notes.yml
index e484a67471ab..57ac1df0e312 100644
--- a/.buildkite/update-release-notes.yml
+++ b/.buildkite/update-release-notes.yml
@@ -1,16 +1,16 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Update release notes"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
       .buildkite/commands/checkout-editorial-branch.sh
 
       install_gems
 
       bundle exec fastlane update_appstore_strings version:${RELEASE_VERSION}
+    agents:
+       queue: "tumblr-metal"

From afe335dd0cdd01f585a3075e888e75bf31c23c3d Mon Sep 17 00:00:00 2001
From: Ian Maia <ian.maia@automattic.com>
Date: Tue, 2 Jul 2024 20:42:23 +0200
Subject: [PATCH 2/3] Replace plugin declaration to use shared var instead

---
 .buildkite/beta-builds.yml | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/.buildkite/beta-builds.yml b/.buildkite/beta-builds.yml
index d7ee1deef39f..f6fb82ade867 100644
--- a/.buildkite/beta-builds.yml
+++ b/.buildkite/beta-builds.yml
@@ -4,12 +4,6 @@
 # This pipeline is meant to be run via the Buildkite API, and is
 # only used for beta builds
 
-# Nodes with values to reuse in the pipeline.
-common_params:
-  # Common plugin settings to use with the `plugins` key.
-  - &common_plugins
-    - automattic/a8c-ci-toolkit#3.4.2
-
 agents:
   queue: "android"
 
@@ -20,7 +14,7 @@ steps:
   - label: "Gradle Wrapper Validation"
     command: |
       validate_gradle_wrapper
-    plugins: *common_plugins
+    plugins: [$CI_TOOLKIT]
 
   # Wait for Gradle Wrapper to be validated before running any other jobs
   - wait
@@ -53,7 +47,7 @@ steps:
         key: wpbuild
         command: ".buildkite/commands/beta-build.sh wordpress"
         depends_on: wplint
-        plugins: *common_plugins
+        plugins: [$CI_TOOLKIT]
         notify:
           - slack: "#build-and-ship"
 
@@ -61,7 +55,7 @@ steps:
         key: jpbuild
         command: ".buildkite/commands/beta-build.sh jetpack"
         depends_on: jplint
-        plugins: *common_plugins
+        plugins: [$CI_TOOLKIT]
         notify:
           - slack: "#build-and-ship"
 
@@ -73,4 +67,4 @@ steps:
       - wpbuild
       - jpbuild
     command: ".buildkite/commands/create-github-release.sh"
-    plugins: *common_plugins
+    plugins: [$CI_TOOLKIT]

From e8419cac2699ed0f5d4037275c2e53f20526b870 Mon Sep 17 00:00:00 2001
From: Ian Maia <ian.maia@automattic.com>
Date: Tue, 2 Jul 2024 20:45:17 +0200
Subject: [PATCH 3/3] [TO REVERT] Add temp lane to test git push permissions

---
 .buildkite/test-git-push.yml | 13 +++++++++++++
 fastlane/lanes/release.rb    | 13 +++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 .buildkite/test-git-push.yml

diff --git a/.buildkite/test-git-push.yml b/.buildkite/test-git-push.yml
new file mode 100644
index 000000000000..cbbd7bdf2471
--- /dev/null
+++ b/.buildkite/test-git-push.yml
@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
+---
+
+
+steps:
+  - label: "Test Git Push 👀"
+    plugins: [$CI_TOOLKIT]
+    command: |
+      install_gems
+
+      bundle exec fastlane test_git_push
+    agents:
+       queue: "tumblr-metal"
diff --git a/fastlane/lanes/release.rb b/fastlane/lanes/release.rb
index d8491ed76b88..0560839b7b03 100644
--- a/fastlane/lanes/release.rb
+++ b/fastlane/lanes/release.rb
@@ -121,6 +121,19 @@
     create_release_management_pull_request('trunk', "Merge #{new_version} code freeze into trunk")
   end
 
+  lane :test_git_push do |options|
+    UI.message 'Bumping beta version and build code...'
+    VERSION_FILE.write_version(
+      version_name: code_freeze_beta_version,
+      version_code: next_build_code
+    )
+    commit_version_bump
+    push_to_git_remote(
+      local_branch: 'iangmaia/iangmaia/trusted-agent-for-push-access',
+      tags: false
+    )
+  end
+
   #####################################################################################
   # new_beta_release
   # -----------------------------------------------------------------------------------