This page explains the schema of the Secure Source Manager triggers file. For instructions on creating a triggers file, see Create a triggers file.
A triggers file contains instructions for Secure Source Manager to trigger the steps defined in a Cloud Build config file based on a push or pull request event in Secure Source Manager.
You can configure your branch protection rules to require a successful status check from specific triggers. To learn more about branch protection, read the Branch protection overview.
Structure of a triggers file
The triggers configuration file must be created in the default branch of your repository. You can write the triggers file using YAML syntax.
A triggers file has the following structure:
triggers:
- name: string
project: string
configFilePath: string
eventType: string
includedGitRefs: string
ignoredGitRefs: string
includedFiles: string
ignoredFiles: string
serviceAccount: string
disabled: bool
substitutions: map[string]string
- name: string
...
Each named section of the triggers file defines the Cloud Build configuration to use for the given event type in Secure Source Manager.
Triggers
A trigger specifies what Secure Source Manager event type you want to use to trigger the completion of the steps in a specific Cloud Build config file. You can also specify which branches are monitored for the specified event.
Use the name
field in the triggers file to identify a trigger. Here's an
example of the kind of configuration you might set in the triggers file:
triggers:
- name: presubmit-test
project: my-project
configFilePath: test.yaml
eventType: pull_request
includedGitRefs: ^main$
ignoredGitRefs: .*log
serviceAccount: projects/my-project/serviceAccounts/[email protected]
includedFiles: .*
ignoredFiles: my-file.txt
disabled: false
- name: postsubmit-run
project: my-project
configFilePath: run.yaml
eventType: push
includedGitRefs: ^main$
ignoredGitRefs: dev-branch
serviceAccount: projects/my-project/serviceAccounts/[email protected]
disabled: false
substitutions:
_NODE_VERSION_1: v6.9.1
REPO_NAME: dev
name
Required. Use the name
field of the trigger to identify your trigger. Trigger
names can only contain alphanumeric characters and dashes, and can't start or
end with a dash. Trigger names must be less than 64 characters long.
project
Optional. Use the project
field to identify the Google Cloud project where you
enabled Cloud Build.
The default is the Secure Source Manager project.
configFilePath
Optional. Path to the Cloud Build configuration file.
The default is .cloudbuild/cloudbuild.yaml
.
eventType
Optional. The event type to trigger on. Options are push
for pushes to the
selected branches or pull_request
for pull requests to the selected branches.
The default is push
.
includedGitRefs
Optional. A RE2 format regular expression matching the Git references that trigger a build.
The default is empty. An empty includedGitRefs
filter field indicates that
there are no restrictions.
If the Git reference isn't included in the ignoredGitRefs
filter field,
Secure Source Manager checks the includedGitRefs
filter field. If the Git
reference is in the includedGitRefs
filter field, a build is triggered. If the
includedGitRefs
filter field isn't empty, and the Git reference isn't
included in the includedGitRefs
filter field, a build isn't triggered.
ignoredGitRefs
Optional. A RE2 format regular expression matching Git references that shouldn't trigger a build.
The default is empty. An empty ignoredGitRefs
filter field indicates that
there are no restrictions.
Secure Source Manager checks the ignoredGitRefs
filter field first. If it's
not empty and the Git reference matches the ignoredGitRefs
filter field, a
build isn't triggered.
serviceAccount
Required. The Cloud Build service account to use for the build.
Format: projects/PROJECT_ID/serviceAccounts/ACCOUNT
Replace the following:
PROJECT_ID
: with the Google Cloud project ID where you created the service account.ACCOUNT
: with the email address or unique ID of the service account.
includedFiles
Optional. A RE2 format regular expression matching files that should trigger a build when changed.
If the changed files are not in the ignoredFiles
filter field, and the
changed files match the includedFiles
filter field, a build is triggered.
The default is empty. An empty filter field indicates that there are no restrictions.
ignoredFiles
Optional. A RE2 format regular expression matching files that shouldn't trigger a build when changed.
If the ignoredFiles
filter field isn't empty, commits that only include files
that match the ignoredFiles
filter field won't trigger a build. The default is
empty. An empty filter indicates that there are no restrictions.
disabled
Optional. A boolean to set if the trigger is disabled or not. Values are true
or false
.
The default is false
.
substitutions
Use substitutions in your triggers file to substitute specific variables at build time in your Cloud Build config file.
Substitutions must begin with an underscore, and can only contain uppercase-letters, underscores and numbers, or be one of the Secure Source Manager substitution variables.
Secure Source Manager provides the following default substitution variables:
TRIGGER_NAME
: the name associated with the trigger.COMMIT_SHA
: the commit ID associated with the trigger.REVISION_ID
: the commit ID associated with the trigger.SHORT_SHA
: the first seven characters ofCOMMIT_SHA
.REPO_NAME
: the name of the repository. For example:my-repo
.REPO_FULL_NAME
: the resource path of the repository, for example:projects/my-project/locations/us-central/repositories/test-repo
.REF_NAME
: the name of the branch or tag associated with the trigger.TRIGGER_BUILD_CONFIG_PATH
: the path to the build configuration file used during your build execution.
For information on how to include Secure Source Manager substitution variables in your Cloud Build configuration file, see Substituting variable values.
What's next
- Create a triggers file
- Learn more about Cloud Build configuration files by reading Build configuration file schema