feat(client-codebuild): AWS CodeBuild now supports comment-based pull request control.

awstools · awstools · commit 14bb03676199 · 2025-08-07T18:21:53.000Z
diff --git a/clients/client-codebuild/src/commands/CreateWebhookCommand.ts b/clients/client-codebuild/src/commands/CreateWebhookCommand.ts
@@ -64,6 +64,12 @@ export interface CreateWebhookCommandOutput extends CreateWebhookOutput, __Metad
  *     domain: "STRING_VALUE",
  *     scope: "GITHUB_ORGANIZATION" || "GITHUB_GLOBAL" || "GITLAB_GROUP", // required
  *   },
+ *   pullRequestBuildPolicy: { // PullRequestBuildPolicy
+ *     requiresCommentApproval: "DISABLED" || "ALL_PULL_REQUESTS" || "FORK_PULL_REQUESTS", // required
+ *     approverRoles: [ // PullRequestBuildApproverRoles
+ *       "GITHUB_READ" || "GITHUB_TRIAGE" || "GITHUB_WRITE" || "GITHUB_MAINTAIN" || "GITHUB_ADMIN" || "GITLAB_GUEST" || "GITLAB_PLANNER" || "GITLAB_REPORTER" || "GITLAB_DEVELOPER" || "GITLAB_MAINTAINER" || "GITLAB_OWNER" || "BITBUCKET_READ" || "BITBUCKET_WRITE" || "BITBUCKET_ADMIN",
+ *     ],
+ *   },
  * };
  * const command = new CreateWebhookCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-codebuild/src/commands/UpdateWebhookCommand.ts b/clients/client-codebuild/src/commands/UpdateWebhookCommand.ts
@@ -53,6 +53,12 @@ export interface UpdateWebhookCommandOutput extends UpdateWebhookOutput, __Metad
  *     ],
  *   ],
  *   buildType: "BUILD" || "BUILD_BATCH" || "RUNNER_BUILDKITE_BUILD",
+ *   pullRequestBuildPolicy: { // PullRequestBuildPolicy
+ *     requiresCommentApproval: "DISABLED" || "ALL_PULL_REQUESTS" || "FORK_PULL_REQUESTS", // required
+ *     approverRoles: [ // PullRequestBuildApproverRoles
+ *       "GITHUB_READ" || "GITHUB_TRIAGE" || "GITHUB_WRITE" || "GITHUB_MAINTAIN" || "GITHUB_ADMIN" || "GITLAB_GUEST" || "GITLAB_PLANNER" || "GITLAB_REPORTER" || "GITLAB_DEVELOPER" || "GITLAB_MAINTAINER" || "GITLAB_OWNER" || "BITBUCKET_READ" || "BITBUCKET_WRITE" || "BITBUCKET_ADMIN",
+ *     ],
+ *   },
  * };
  * const command = new UpdateWebhookCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-codebuild/src/models/models_0.ts b/clients/client-codebuild/src/models/models_0.ts
@@ -5979,6 +5979,81 @@ export interface CreateReportGroupOutput {
   reportGroup?: ReportGroup | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const PullRequestBuildApproverRole = {
+  BITBUCKET_ADMIN: "BITBUCKET_ADMIN",
+  BITBUCKET_READ: "BITBUCKET_READ",
+  BITBUCKET_WRITE: "BITBUCKET_WRITE",
+  GITHUB_ADMIN: "GITHUB_ADMIN",
+  GITHUB_MAINTAIN: "GITHUB_MAINTAIN",
+  GITHUB_READ: "GITHUB_READ",
+  GITHUB_TRIAGE: "GITHUB_TRIAGE",
+  GITHUB_WRITE: "GITHUB_WRITE",
+  GITLAB_DEVELOPER: "GITLAB_DEVELOPER",
+  GITLAB_GUEST: "GITLAB_GUEST",
+  GITLAB_MAINTAINER: "GITLAB_MAINTAINER",
+  GITLAB_OWNER: "GITLAB_OWNER",
+  GITLAB_PLANNER: "GITLAB_PLANNER",
+  GITLAB_REPORTER: "GITLAB_REPORTER",
+} as const;
+
+/**
+ * @public
+ */
+export type PullRequestBuildApproverRole =
+  (typeof PullRequestBuildApproverRole)[keyof typeof PullRequestBuildApproverRole];
+
+/**
+ * @public
+ * @enum
+ */
+export const PullRequestBuildCommentApproval = {
+  ALL_PULL_REQUESTS: "ALL_PULL_REQUESTS",
+  DISABLED: "DISABLED",
+  FORK_PULL_REQUESTS: "FORK_PULL_REQUESTS",
+} as const;
+
+/**
+ * @public
+ */
+export type PullRequestBuildCommentApproval =
+  (typeof PullRequestBuildCommentApproval)[keyof typeof PullRequestBuildCommentApproval];
+
+/**
+ * <p>Configuration policy that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.</p>
+ * @public
+ */
+export interface PullRequestBuildPolicy {
+  /**
+   * <p>Specifies when comment-based approval is required before triggering a build on pull requests. This setting determines whether builds run automatically or require explicit approval through comments.</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <i>DISABLED</i>: Builds trigger automatically without requiring comment approval</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <i>ALL_PULL_REQUESTS</i>: All pull requests require comment approval before builds execute (unless contributor is one of the approver roles)</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <i>FORK_PULL_REQUESTS</i>: Only pull requests from forked repositories require comment approval (unless contributor is one of the approver roles)</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  requiresCommentApproval: PullRequestBuildCommentApproval | undefined;
+
+  /**
+   * <p>List of repository roles that have approval privileges for pull request builds when comment approval is required. Only users with these roles can provide valid comment approvals. If a pull request contributor is one of these roles, their pull request builds will trigger automatically. This field is only applicable when <code>requiresCommentApproval</code> is not <i>DISABLED</i>.</p>
+   * @public
+   */
+  approverRoles?: PullRequestBuildApproverRole[] | undefined;
+}
+
 /**
  * @public
  */
@@ -6044,6 +6119,12 @@ export interface CreateWebhookInput {
    * @public
    */
   scopeConfiguration?: ScopeConfiguration | undefined;
+
+  /**
+   * <p>A PullRequestBuildPolicy object that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.</p>
+   * @public
+   */
+  pullRequestBuildPolicy?: PullRequestBuildPolicy | undefined;
 }
 
 /**
@@ -8329,7 +8410,8 @@ export interface StartBuildInput {
    *             <p>Since this property allows you to change the build commands that will run in the container,
    *             you should note that an IAM principal with the ability to call this API and set this parameter
    *             can override the default settings. Moreover, we encourage that you use a trustworthy buildspec location
-   *             like a file in your source repository or a Amazon S3 bucket.</p>
+   *             like a file in your source repository or a Amazon S3 bucket. Alternatively, you can restrict overrides
+   *             to the buildspec by using a condition key: <a href="https://docs.aws.amazon.com/codebuild/latest/userguide/action-context-keys.html#action-context-keys-example-overridebuildspec.html">Prevent unauthorized modifications to project buildspec</a>.</p>
    *          </note>
    * @public
    */
@@ -9647,6 +9729,12 @@ export interface UpdateWebhookInput {
    * @public
    */
   buildType?: WebhookBuildType | undefined;
+
+  /**
+   * <p>A PullRequestBuildPolicy object that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.</p>
+   * @public
+   */
+  pullRequestBuildPolicy?: PullRequestBuildPolicy | undefined;
 }
 
 /**
diff --git a/clients/client-codebuild/src/protocols/Aws_json1_1.ts b/clients/client-codebuild/src/protocols/Aws_json1_1.ts
@@ -239,6 +239,8 @@ import {
   ProjectSource,
   ProjectSourceVersion,
   ProxyConfiguration,
+  PullRequestBuildApproverRole,
+  PullRequestBuildPolicy,
   PutResourcePolicyInput,
   RegistryCredential,
   Report,
@@ -2565,6 +2567,10 @@ const se_DescribeCodeCoveragesInput = (input: DescribeCodeCoveragesInput, contex
 
 // se_ProxyConfiguration omitted.
 
+// se_PullRequestBuildApproverRoles omitted.
+
+// se_PullRequestBuildPolicy omitted.
+
 // se_PutResourcePolicyInput omitted.
 
 // se_RegistryCredential omitted.
diff --git a/codegen/sdk-codegen/aws-models/codebuild.json b/codegen/sdk-codegen/aws-models/codebuild.json
@@ -3632,6 +3632,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The scope configuration for global or organization webhooks.</p>\n         <note>\n            <p>Global or organization webhooks are only available for GitHub and Github Enterprise webhooks.</p>\n         </note>"
           }
+        },
+        "pullRequestBuildPolicy": {
+          "target": "com.amazonaws.codebuild#PullRequestBuildPolicy",
+          "traits": {
+            "smithy.api#documentation": "<p>A PullRequestBuildPolicy object that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.</p>"
+          }
         }
       },
       "traits": {
@@ -7421,6 +7427,145 @@
         "smithy.api#documentation": "<p>Information about the proxy configurations that apply network access control to your reserved capacity instances.</p>"
       }
     },
+    "com.amazonaws.codebuild#PullRequestBuildApproverRole": {
+      "type": "enum",
+      "members": {
+        "GITHUB_READ": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITHUB_READ"
+          }
+        },
+        "GITHUB_TRIAGE": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITHUB_TRIAGE"
+          }
+        },
+        "GITHUB_WRITE": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITHUB_WRITE"
+          }
+        },
+        "GITHUB_MAINTAIN": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITHUB_MAINTAIN"
+          }
+        },
+        "GITHUB_ADMIN": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITHUB_ADMIN"
+          }
+        },
+        "GITLAB_GUEST": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITLAB_GUEST"
+          }
+        },
+        "GITLAB_PLANNER": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITLAB_PLANNER"
+          }
+        },
+        "GITLAB_REPORTER": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITLAB_REPORTER"
+          }
+        },
+        "GITLAB_DEVELOPER": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITLAB_DEVELOPER"
+          }
+        },
+        "GITLAB_MAINTAINER": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITLAB_MAINTAINER"
+          }
+        },
+        "GITLAB_OWNER": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "GITLAB_OWNER"
+          }
+        },
+        "BITBUCKET_READ": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "BITBUCKET_READ"
+          }
+        },
+        "BITBUCKET_WRITE": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "BITBUCKET_WRITE"
+          }
+        },
+        "BITBUCKET_ADMIN": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "BITBUCKET_ADMIN"
+          }
+        }
+      }
+    },
+    "com.amazonaws.codebuild#PullRequestBuildApproverRoles": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.codebuild#PullRequestBuildApproverRole"
+      }
+    },
+    "com.amazonaws.codebuild#PullRequestBuildCommentApproval": {
+      "type": "enum",
+      "members": {
+        "DISABLED": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "DISABLED"
+          }
+        },
+        "ALL_PULL_REQUESTS": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ALL_PULL_REQUESTS"
+          }
+        },
+        "FORK_PULL_REQUESTS": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "FORK_PULL_REQUESTS"
+          }
+        }
+      }
+    },
+    "com.amazonaws.codebuild#PullRequestBuildPolicy": {
+      "type": "structure",
+      "members": {
+        "requiresCommentApproval": {
+          "target": "com.amazonaws.codebuild#PullRequestBuildCommentApproval",
+          "traits": {
+            "smithy.api#documentation": "<p>Specifies when comment-based approval is required before triggering a build on pull requests. This setting determines whether builds run automatically or require explicit approval through comments.</p>\n         <ul>\n            <li>\n               <p>\n                  <i>DISABLED</i>: Builds trigger automatically without requiring comment approval</p>\n            </li>\n            <li>\n               <p>\n                  <i>ALL_PULL_REQUESTS</i>: All pull requests require comment approval before builds execute (unless contributor is one of the approver roles)</p>\n            </li>\n            <li>\n               <p>\n                  <i>FORK_PULL_REQUESTS</i>: Only pull requests from forked repositories require comment approval (unless contributor is one of the approver roles)</p>\n            </li>\n         </ul>",
+            "smithy.api#required": {}
+          }
+        },
+        "approverRoles": {
+          "target": "com.amazonaws.codebuild#PullRequestBuildApproverRoles",
+          "traits": {
+            "smithy.api#documentation": "<p>List of repository roles that have approval privileges for pull request builds when comment approval is required. Only users with these roles can provide valid comment approvals. If a pull request contributor is one of these roles, their pull request builds will trigger automatically. This field is only applicable when <code>requiresCommentApproval</code> is not <i>DISABLED</i>.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Configuration policy that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.</p>"
+      }
+    },
     "com.amazonaws.codebuild#PutResourcePolicy": {
       "type": "operation",
       "input": {
@@ -9161,7 +9306,7 @@
         "buildspecOverride": {
           "target": "com.amazonaws.codebuild#String",
           "traits": {
-            "smithy.api#documentation": "<p>A buildspec file declaration that overrides the latest one defined \n            in the build project, for this build only. The buildspec defined on the project is not changed.</p>\n         <p>If this value is set, it can be either an inline buildspec definition, the path to an\n            alternate buildspec file relative to the value of the built-in\n                <code>CODEBUILD_SRC_DIR</code> environment variable, or the path to an S3 bucket.\n            The bucket must be in the same Amazon Web Services Region as the build project. Specify the buildspec\n            file using its ARN (for example,\n                <code>arn:aws:s3:::my-codebuild-sample2/buildspec.yml</code>). If this value is not\n            provided or is set to an empty string, the source code must contain a buildspec file in\n            its root directory. For more information, see <a href=\"https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-name-storage\">Buildspec File Name and Storage Location</a>.</p>\n         <note>\n            <p>Since this property allows you to change the build commands that will run in the container, \n            you should note that an IAM principal with the ability to call this API and set this parameter \n            can override the default settings. Moreover, we encourage that you use a trustworthy buildspec location \n            like a file in your source repository or a Amazon S3 bucket.</p>\n         </note>"
+            "smithy.api#documentation": "<p>A buildspec file declaration that overrides the latest one defined \n            in the build project, for this build only. The buildspec defined on the project is not changed.</p>\n         <p>If this value is set, it can be either an inline buildspec definition, the path to an\n            alternate buildspec file relative to the value of the built-in\n                <code>CODEBUILD_SRC_DIR</code> environment variable, or the path to an S3 bucket.\n            The bucket must be in the same Amazon Web Services Region as the build project. Specify the buildspec\n            file using its ARN (for example,\n                <code>arn:aws:s3:::my-codebuild-sample2/buildspec.yml</code>). If this value is not\n            provided or is set to an empty string, the source code must contain a buildspec file in\n            its root directory. For more information, see <a href=\"https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-name-storage\">Buildspec File Name and Storage Location</a>.</p>\n         <note>\n            <p>Since this property allows you to change the build commands that will run in the container, \n            you should note that an IAM principal with the ability to call this API and set this parameter \n            can override the default settings. Moreover, we encourage that you use a trustworthy buildspec location \n            like a file in your source repository or a Amazon S3 bucket. Alternatively, you can restrict overrides \n            to the buildspec by using a condition key: <a href=\"https://docs.aws.amazon.com/codebuild/latest/userguide/action-context-keys.html#action-context-keys-example-overridebuildspec.html\">Prevent unauthorized modifications to project buildspec</a>.</p>\n         </note>"
           }
         },
         "insecureSslOverride": {
@@ -10333,6 +10478,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Specifies the type of build this webhook will trigger.</p>\n         <note>\n            <p>\n               <code>RUNNER_BUILDKITE_BUILD</code> is only available for <code>NO_SOURCE</code> source type projects \n        configured for Buildkite runner builds. For more information about CodeBuild-hosted Buildkite runner builds, see <a href=\"https://docs.aws.amazon.com/codebuild/latest/userguide/sample-runner-buildkite.html\">Tutorial: Configure a CodeBuild-hosted Buildkite runner</a> in the <i>CodeBuild\n        user guide</i>.</p>\n         </note>"
           }
+        },
+        "pullRequestBuildPolicy": {
+          "target": "com.amazonaws.codebuild#PullRequestBuildPolicy",
+          "traits": {
+            "smithy.api#documentation": "<p>A PullRequestBuildPolicy object that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.</p>"
+          }
         }
       },
       "traits": {
