// Investigates Buildkite pipeline failures to find root causes. Returns structured JSON to the parent for formatting. Triggers when users ask about failing pipelines, build errors, or need help debugging CI/CD issues. Accepts Buildkite build URLs or build numbers and performs deep investigation.
Interact with Dependabot and Snyk pull requests for dependency upgrades and security fixes. Documents Dependabot commands, javax/jakarta compatibility checks, safe merge workflows, and troubleshooting. Use when managing dependency upgrade PRs or security fix PRs.
Monitors Dependabot and Snyk dependency upgrade PRs, automatically merging them when builds pass. Handles javax/jakarta compatibility validation and provides detailed status reporting. Use when the user says "monitor PRs", "watch builds", "auto-merge PRs", "merge passing PRs", or "watch dependency PRs".
Deep adversarial code review using the 8-lens review constitution. Examines diffs for correctness, security, completeness, and MockServer-specific concerns (ByteBuf leaks, module boundaries, javax/jakarta compatibility, ring buffer sizing). Use when performing pre-commit reviews, quality-loop iterations, or on-demand code audits. Loaded by review-cheap and review-final agents.
Deep adversarial specification review using the 8-lens review constitution. Evaluates design documents, plans, and specs for ambiguity, completeness, feasibility, security, and MockServer-specific concerns. Loaded by review-cheap and review-final agents.
Builds and pushes the MockServer Maven CI Docker image locally. Covers corporate CA certificate setup, architecture selection (amd64 vs arm64), buildx gotchas with corporate TLS proxies, and Docker Hub authentication. Use when the user says "build docker image", "push maven image", "rebuild CI image", "docker build", "push to docker hub", or needs to manually build/push the mockserver/mockserver:maven image outside of CI.
Prepares a MockServer release by recommending the release version from Semantic Versioning rules and `changelog.md`, checking release readiness, and listing the exact Buildkite release parameters. Use when users say "prepare release", "release version", "run the release pipeline", "which version should we release", or need to verify changelog and secret readiness before triggering the release pipeline.
| name | pipeline-investigation |
| description | Investigates Buildkite pipeline failures to find root causes. Returns structured JSON to the parent for formatting. Triggers when users ask about failing pipelines, build errors, or need help debugging CI/CD issues. Accepts Buildkite build URLs or build numbers and performs deep investigation. |
Investigate Buildkite pipeline failures systematically to identify root causes. This skill uses the Buildkite CLI (bk) as the primary interface, with REST API fallback.
The bk CLI is the preferred way to interact with Buildkite. Before investigating, ensure it is installed and authenticated.
which bk || echo "bk CLI not installed"
If bk is not installed, install it:
brew tap buildkite/buildkite && brew install buildkite/buildkite/bk
bk auth status
If authenticated, you will see the org slug, token UUID, scopes, and user info. Proceed to investigation.
If not authenticated, you will see:
Error: you are not authenticated. Run bk auth login to authenticate, or run bk use to select a configured organization
In this case, stop and ask the user to authenticate:
Please run
bk auth loginin a terminal to authenticate with Buildkite via browser-based OAuth. This is a one-time setup similar toaws sso login. Once done, runbk auth switch mockserverto select the organization.
Do NOT attempt to run bk auth login yourself — it requires interactive browser OAuth that cannot be completed in a non-TTY terminal.
If bk auth status shows selected_org: "", the org hasn't been selected:
bk auth switch mockserver
When you need the REST API (for endpoints not covered by bk CLI):
TOKEN=$(bk auth token 2>/dev/null)
if [ -z "$TOKEN" ]; then
echo "ERROR: bk auth token failed — run 'bk auth login' first"
exit 1
fi
curl -sH "Authorization: Bearer $TOKEN" "https://api.buildkite.com/v2/..."
This extracts the OAuth token from the CLI's keychain storage. Always validate the token is non-empty before using it. Never ask the user to manually create API tokens — the CLI handles this automatically.
Extract organization, pipeline, and build number from the Buildkite URL or user input.
URL Pattern:
https://buildkite.com/{org}/{pipeline}/builds/{build_number}
The organization has multiple pipelines sharing the same agent pool:
mockserver — primary Java build and testmockserver-client-node — Node.js clientmockserver-node — Node.js modulemockserver-performance-test — performance testsUsing bk CLI (preferred):
bk build view {build_number} -p {pipeline} --json
Using REST API (fallback):
TOKEN=$(bk auth token)
curl -sH "Authorization: Bearer $TOKEN" \
"https://api.buildkite.com/v2/organizations/mockserver/pipelines/{pipeline}/builds/{build_number}"
Save the commit SHA and created_at — you will need these later to check whether fixes have already been pushed.
Using bk CLI:
bk agent list --json
This shows all agents across all pipelines, their connection state, and current job (if busy).
Key fields to check:
connection_state — should be connectedjob — if present, agent is busy; check which pipeline/build it's runningmeta_data — agent tags including queue=defaultTo understand queue contention, check builds across all pipelines sharing the agent pool:
TOKEN=$(bk auth token)
curl -sH "Authorization: Bearer $TOKEN" \
"https://api.buildkite.com/v2/organizations/mockserver/builds?state[]=scheduled&state[]=running&per_page=50"
bk build view {build_number} -p {pipeline} --json
Filter for failed jobs in the JSON output. Look at jobs[].state == "failed".
TOKEN=$(bk auth token)
curl -sH "Authorization: Bearer $TOKEN" \
"https://api.buildkite.com/v2/organizations/mockserver/pipelines/{pipeline}/builds/{build_number}/jobs/{job_id}/log" \
| jq -r '.content'
For large logs, save to file:
TOKEN=$(bk auth token)
curl -sH "Authorization: Bearer $TOKEN" \
"https://api.buildkite.com/v2/organizations/mockserver/pipelines/{pipeline}/builds/{build_number}/jobs/{job_id}/log" \
| jq -r '.content' > .tmp/buildkite-{build_number}-log.txt
TOKEN=$(bk auth token)
curl -sH "Authorization: Bearer $TOKEN" \
"https://api.buildkite.com/v2/organizations/mockserver/pipelines/{pipeline}/builds/{build_number}/artifacts" \
| jq '.[] | {filename,path,download_url}'
Download an artifact:
TOKEN=$(bk auth token)
curl -sLH "Authorization: Bearer $TOKEN" \
"{download_url}" -o .tmp/buildkite-{build_number}-artifact.log
If the Buildkite build passed but related GitHub Actions failed (CodeQL):
gh run list --repo mock-server/mockserver-monorepo --limit 10 --json status,conclusion,name,headBranch,createdAt
gh run view {run_id} --repo mock-server/mockserver-monorepo --log-failed
Get build changes (commits that triggered the build):
git log --oneline {commit}..HEAD
Check recent build history for patterns:
TOKEN=$(bk auth token)
curl -sH "Authorization: Bearer $TOKEN" \
"https://api.buildkite.com/v2/organizations/mockserver/pipelines/{pipeline}/builds?per_page=20&state=failed" \
| jq '.[] | {number,state,message,created_at}'
Cancel a build (e.g., stuck or blocking):
bk build cancel {build_number} -p {pipeline} -y
Rebuild a build:
bk build rebuild {build_number} -p {pipeline} -y
Match the identified root cause against common failure patterns:
| Error Pattern | Category | Scope |
|---|---|---|
BUILD FAILURE in Maven | BUILD_ERROR | ISOLATED |
Tests run:.*Failures: | TEST_FAILURE | ISOLATED |
OutOfMemoryError | RESOURCE_ERROR | MAY_BE_SYSTEMIC |
Connection refused | NETWORK_ERROR | MAY_BE_SYSTEMIC |
docker: Error | DOCKER_ERROR | ISOLATED |
Timeout | TIMEOUT | MAY_BE_SYSTEMIC |
| Agent did not connect | AGENT_ERROR | SYSTEMIC |
Build skipped | AUTO_SKIPPED | NORMAL (newer commit superseded) |
Build scheduled (stuck) | QUEUE_STARVATION | SYSTEMIC |
CRITICAL: Before recommending a fix, check whether the root cause has already been addressed:
git fetch origin master --quiet
git log --oneline {commit}..origin/master
git diff --name-only {commit}..origin/master
Classify:
| Classification | Meaning | Report Action |
|---|---|---|
| ALREADY FIXED | A commit on origin/master addresses this | Mark as fixed, cite the commit |
| OPEN | No fix found | Report with recommended fix |
Understanding how Buildkite schedules builds is critical for diagnosing "stuck" builds:
skip_queued_branch_builds — if enabled in the Buildkite pipeline settings (check via bk build view -p {pipeline} --json under pipeline.skip_queued_branch_builds), a newer build for the same branch causes older queued builds to be auto-skipped. This is normal, not a failure. The mockserver pipeline currently has this enabled.cancel_running_branch_builds — if disabled (check via pipeline.cancel_running_branch_builds), running builds are NOT automatically cancelled when a newer commit is pushed. Older running builds continue to consume agents. The mockserver pipeline currently has this disabled.queue=default). Scheduled builds from mockserver-performance-test, mockserver-client-node, and mockserver-node compete with the primary mockserver pipeline for agents.DYLD_LIBRARY_PATH=/opt/homebrew/opt/expat/lib aws autoscaling describe-auto-scaling-groups \
--auto-scaling-group-names "$(cd terraform/buildkite-agents && terraform output -raw auto_scaling_group_name 2>/dev/null || aws autoscaling describe-auto-scaling-groups --profile mockserver-build --region eu-west-2 --query 'AutoScalingGroups[?contains(Tags[?Key==`Name`].Value, `buildkite-mockserver`)].AutoScalingGroupName' --output text | head -1)" \
--region eu-west-2 --profile mockserver-build \
--query 'AutoScalingGroups[0].{MinSize:MinSize,MaxSize:MaxSize,DesiredCapacity:DesiredCapacity}'
Return this structure in your final message:
{
"schema": "pipeline-investigation/v1",
"build": {
"number": 0,
"pipeline": "<pipeline slug>",
"branch": "<branch>",
"commit": "<commit sha>",
"state": "failed",
"failed_job": "<job name>",
"started_at": "<ISO8601>",
"finished_at": "<ISO8601>"
},
"root_cause": {
"summary": "<one-line description>",
"detail": "<technical explanation>",
"error_excerpt": "<relevant log lines>",
"failure_category": "<category from table above or null>",
"scope": "SYSTEMIC|ISOLATED|MAY_BE_SYSTEMIC"
},
"fix_status": "OPEN|ALREADY_FIXED",
"fix_commit": "<sha or null>",
"fix_message": "<commit message or null>",
"github_actions": [
{ "run_id": 0, "workflow": "<name>", "conclusion": "failure|success", "root_cause": "<summary or null>" }
],
"recommended_fix": "<actionable steps, null if already fixed>"
}
After returning the JSON, provide a brief summary (2-3 lines).
bk CLI uses -p {pipeline} for pipeline selection, NOT --org — the org is set via bk auth switch