Update BREEZE.rst #287
Closed
Update BREEZE.rst #287
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In our process, we generally do not let the scripts in the "build images" workflow to use `scripts/ci`, `dev` and `action` scripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry. This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the `apache/airflow` repository branches. This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the `apache/airflow` branch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors. The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR. As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated. While impolementing this, we also realised that we can simplify branch information retrieval. The code that we had in workflow was written a long time ago, when the target branch was always "main" - so we had to check-out the target commit to be able to retrieve branch_defaults.py and get the branches from there. However it's already for quite some time that "pull request workflow" uses "base_ref" as the base commit, which means that in `main` it is `main` and in `v2-8-test` it is `v2-8-stable`, which means that we already have the correct `AIRFLOW_BRANCH` and the `DEFAULT_AIRFLOW_CONSTRAINTS_BRANCH` without having to check the incoming commit. Which means that we do not need to override scripts in the build-info step, we only need to check it out temporarily to fetch the incoming PR and it's parent to see what files are changed in the incoming PR.
In our process, we generally do not let the scripts in the "build images" workflow to use `scripts/ci`, `dev` and `action` scripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry. This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the `apache/airflow` repository branches. This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the `apache/airflow` branch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors. The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR. As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated. While impolementing this, we also realised that we can simplify branch information retrieval. The code that we had in workflow was written a long time ago, when the target branch was always "main" - so we had to check-out the target commit to be able to retrieve branch_defaults.py and get the branches from there. However it's already for quite some time that "pull request workflow" uses "base_ref" as the base commit, which means that in `main` it is `main` and in `v2-8-test` it is `v2-8-stable`, which means that we already have the correct `AIRFLOW_BRANCH` and the `DEFAULT_AIRFLOW_CONSTRAINTS_BRANCH` without having to check the incoming commit. Which means that we do not need to override scripts in the build-info step, we only need to check it out temporarily to fetch the incoming PR and it's parent to see what files are changed in the incoming PR.
potiuk
force-pushed
the
potiuk-patch-1
branch
from
eee13e7 to
5f66267
Compare
potiuk
force-pushed
the
main
branch
2 times, most recently
from
a3460d0 to
7a2e300
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.