Use common image build workflows in pull-request-target workflow #38231
Conversation
|
This is the nice "final" (never say final) removal of the non-DRY code in the huge workflow refactor. It finally removes the repeated build-image code between actions and workflows. It does need a bit more scrutiny - because unlike the other changes it modifies the "pull request target" workflow that is a potential security issue (see the warning messages in the workflows). I tested it here potiuk#297 - simulating someone (higrys is my second persona) trying to hack the workflow by submitting a change to it in my fork - and it nicely DID NOT HACK IT .... The "ci-image-build.yaml But ... review woudl be really useful |
potiuk
force-pushed
the
use-common-image-workflows-in-pull-request-target
branch
from
93046f5 to
e0f0044
Compare
potiuk
added
the
default versions only
We left a little duplication of the code that has been used to build images in "Build Images" workflow - that is run as "Pull request target" workflow - mainly because of the security concerns and the way how we are replacing the source for actions, workflows and CI scripts from the incoming PRs with the one coming from the target branch. This change moves parts of the code that was used to replace the scripts to the shared workflows and removes the composite actions that we used in the past as common code. As part of that change it turned out that there was a bug in target-commit-sha usage for PRs coming from the forks where rather than using the merge commit, we were using the original commit coming from the fork. This was the reason why often we asked the users to rebase their PRs where some new breaking changes were added in the workflows or new dependencies added. With using merge commit, we should be experiencing the "please rebase to take into account the latest version of CI or Airflow" far less frequently.
potiuk
force-pushed
the
use-common-image-workflows-in-pull-request-target
branch
from
e0f0044 to
af202c1
Compare
|
Would love to get that one reviewed and |
We left a little duplication of the code that has been used to build images in "Build Images" workflow - that is run as "Pull request target" workflow - mainly because of the security concerns and the way how we are replacing the source for actions, workflows and CI scripts from the incoming PRs with the one coming from the target branch.
This change moves parts of the code that was used to replace the scripts to the shared workflows and removes the composite actions that we used in the past as common code.
As part of that change it turned out that there was a bug in target-commit-sha usage for PRs coming from the forks where rather than using the merge commit, we were using the original commit coming from the fork. This was the reason why often we asked the users to rebase their PRs where some new breaking changes were added in the workflows or new dependencies added. With using merge commit, we should be experiencing the "please rebase to take into account the latest version of CI or Airflow" far less frequently.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.