[Tooling] Use a trusted CI agent for pipelines that require push access

.buildkite/beta-builds.yml

@@ -4,12 +4,6 @@
 # This pipeline is meant to be run via the Buildkite API, and is
 # only used for beta builds
 
-# Nodes with values to reuse in the pipeline.
-common_params:
-  # Common plugin settings to use with the `plugins` key.
-  - &common_plugins
-    - automattic/a8c-ci-toolkit#3.4.2
-
 agents:
   queue: "android"
 
@@ -20,7 +14,7 @@ steps:
   - label: "Gradle Wrapper Validation"
     command: |
       validate_gradle_wrapper
-    plugins: *common_plugins
+    plugins: [$CI_TOOLKIT]
 
   # Wait for Gradle Wrapper to be validated before running any other jobs
   - wait
@@ -53,15 +47,15 @@ steps:
         key: wpbuild
         command: ".buildkite/commands/beta-build.sh wordpress"
         depends_on: wplint
-        plugins: *common_plugins
+        plugins: [$CI_TOOLKIT]
         notify:
           - slack: "#build-and-ship"
 
       - label: ":jetpack: :android: Beta Build"
         key: jpbuild
         command: ".buildkite/commands/beta-build.sh jetpack"
         depends_on: jplint
-        plugins: *common_plugins
+        plugins: [$CI_TOOLKIT]
         notify:
           - slack: "#build-and-ship"
 
@@ -73,4 +67,4 @@ steps:
       - wpbuild
       - jpbuild
     command: ".buildkite/commands/create-github-release.sh"
-    plugins: *common_plugins
+    plugins: [$CI_TOOLKIT]

.buildkite/code-freeze.yml

@@ -1,15 +1,15 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Code Freeze"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
 
       install_gems
 
       bundle exec fastlane code_freeze skip_confirm:true
+    agents:
+       queue: "tumblr-metal"

.buildkite/commands/configure-git-for-release-management.sh

@@ -1,10 +1,11 @@
 #!/bin/bash -eu
 
-# Git command line client is not configured in Buildkite. Temporarily, we configure it in each step.
-# Later on, we should be able to configure the agent instead.
-curl -L https://api.github.com/meta | jq -r '.ssh_keys | .[]' | sed -e 's/^/github.com /' >> ~/.ssh/known_hosts
-git config --global user.email "mobile+wpmobilebot@automattic.com"
-git config --global user.name "Automattic Release Bot"
+# This script needs to be source'd as use-bot-for-git exports a variable and this needs to be visible outside
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  echo "This script must be 'source'd (instead of being called directly as an executable) to work properly"
+  exit 1
+fi
 
-# Buildkite is currently using the https url to checkout. We need to override it to be able to use the deploy key.
-git remote set-url origin git@github.com:wordpress-mobile/WordPress-Android.git
+echo '--- :robot_face: Use bot for git operations'
+# shellcheck disable=SC1091
+source use-bot-for-git

.buildkite/complete-code-freeze.yml

@@ -1,16 +1,16 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Complete Code Freeze"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
       .buildkite/commands/checkout-release-branch.sh
 
       install_gems
 
       bundle exec fastlane complete_code_freeze skip_confirm:true
+    agents:
+       queue: "tumblr-metal"

.buildkite/finalize-release.yml

@@ -1,18 +1,18 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Finalize release"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
       .buildkite/commands/checkout-release-branch.sh
 
       install_gems
 
       cp gradle.properties-example gradle.properties
 
       bundle exec fastlane finalize_release skip_confirm:true
+    agents:
+       queue: "tumblr-metal"

.buildkite/new-beta-release.yml

@@ -1,17 +1,17 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "New Beta Release"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
 
       install_gems
 
       cp gradle.properties-example gradle.properties
 
       bundle exec fastlane new_beta_release skip_confirm:true
+    agents:
+       queue: "tumblr-metal"

.buildkite/test-git-push.yml

@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
+---
+
+
+steps:
+  - label: "Test Git Push 👀"
+    plugins: [$CI_TOOLKIT]
+    command: |
+      install_gems
+
+      bundle exec fastlane test_git_push
+    agents:
+       queue: "tumblr-metal"

.buildkite/update-release-notes.yml

@@ -1,16 +1,16 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 ---
 
-agents:
-  queue: "android"
 
 steps:
   - label: "Update release notes"
     plugins: [$CI_TOOLKIT]
     command: |
-      .buildkite/commands/configure-git-for-release-management.sh
+      source .buildkite/commands/configure-git-for-release-management.sh
       .buildkite/commands/checkout-editorial-branch.sh
 
       install_gems
 
       bundle exec fastlane update_appstore_strings version:${RELEASE_VERSION}
+    agents:
+       queue: "tumblr-metal"

fastlane/lanes/release.rb

@@ -121,6 +121,19 @@
     create_release_management_pull_request('trunk', "Merge #{new_version} code freeze into trunk")
   end
 
+  lane :test_git_push do |options|
+    UI.message 'Bumping beta version and build code...'
+    VERSION_FILE.write_version(
+      version_name: code_freeze_beta_version,
+      version_code: next_build_code
+    )
+    commit_version_bump
+    push_to_git_remote(
+      local_branch: 'iangmaia/iangmaia/trusted-agent-for-push-access',
+      tags: false
+    )
+  end
+
   #####################################################################################
   # new_beta_release
   # -----------------------------------------------------------------------------------