Allow committer builds to use scripts/ci, dev and actions from the PR #37057
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
potiuk
requested review from
hussein-awala,
Taragolis,
pierrejeambrun and
eladkal
|
Once we merge that one, committers will have no more the problem that their PRs modifying |
hussein-awala
approved these changes
Jan 28, 2024
potiuk
force-pushed
the
allow-dev-scripts-for-committer-builds
branch
from
2c649de to
0cbf5ff
Compare
eladkal
approved these changes
Jan 28, 2024
|
I will do some more testing in my own fork, to see if I have everything righ. And I'd appreciate a bit more thorough review for that one. This is a sensitive part of our actions and it would be good to scrutinize it a bit more :) |
potiuk
force-pushed
the
allow-dev-scripts-for-committer-builds
branch
3 times, most recently
from
00b00e0 to
a3460d0
Compare
In our process, we generally do not let the scripts in the "build images" workflow to use `scripts/ci`, `dev` and `action` scripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry. This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the `apache/airflow` repository branches. This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the `apache/airflow` branch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors. The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR. As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated. While impolementing this, we also realised that we can simplify branch information retrieval. The code that we had in workflow was written a long time ago, when the target branch was always "main" - so we had to check-out the target commit to be able to retrieve branch_defaults.py and get the branches from there. However it's already for quite some time that "pull request workflow" uses "base_ref" as the base commit, which means that in `main` it is `main` and in `v2-8-test` it is `v2-8-stable`, which means that we already have the correct `AIRFLOW_BRANCH` and the `DEFAULT_AIRFLOW_CONSTRAINTS_BRANCH` without having to check the incoming commit. Which means that we do not need to override scripts in the build-info step, we only need to check it out temporarily to fetch the incoming PR and it's parent to see what files are changed in the incoming PR.
potiuk
force-pushed
the
allow-dev-scripts-for-committer-builds
branch
from
a3460d0 to
89acfeb
Compare
|
All right I did some testing and applied a few smal fixes (optimiized away the checkout for target-branch for commiter build as it turned out to be not needed For anyone looking here (and I would love at least 2 reviews) for security reasons. I've run some simulated builds from my higrys -> potiuk PRs after pushing the branch to main: Here is an example of committer-originated build:
Example where non-committer is the actor in PR
The builds here (you can see different actors): 
|
|
Well done! |
|
cc: @ephraimbuddy FYI -> this is something I wil cherry-pick shortly (together with other recent refactors) to v2-8-test and do some testing if it works as expected (there are some smalll caveats in retrieving DEFAULT_BRANCH and DEFAULT_CONSTRAINTS_BRANCH that I need to test there, so don't be surprised :). |
potiuk
added a commit
that referenced
this pull request
Feb 7, 2024
…#37057) In our process, we generally do not let the scripts in the "build images" workflow to use `scripts/ci`, `dev` and `action` scripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry. This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the `apache/airflow` repository branches. This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the `apache/airflow` branch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors. The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR. As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated. While impolementing this, we also realised that we can simplify branch information retrieval. The code that we had in workflow was written a long time ago, when the target branch was always "main" - so we had to check-out the target commit to be able to retrieve branch_defaults.py and get the branches from there. However it's already for quite some time that "pull request workflow" uses "base_ref" as the base commit, which means that in `main` it is `main` and in `v2-8-test` it is `v2-8-stable`, which means that we already have the correct `AIRFLOW_BRANCH` and the `DEFAULT_AIRFLOW_CONSTRAINTS_BRANCH` without having to check the incoming commit. Which means that we do not need to override scripts in the build-info step, we only need to check it out temporarily to fetch the incoming PR and it's parent to see what files are changed in the incoming PR. (cherry picked from commit 07fd364)
potiuk
added
the
changelog:skip
ephraimbuddy
pushed a commit
that referenced
this pull request
Feb 22, 2024
…#37057) In our process, we generally do not let the scripts in the "build images" workflow to use `scripts/ci`, `dev` and `action` scripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry. This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the `apache/airflow` repository branches. This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the `apache/airflow` branch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors. The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR. As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated. While impolementing this, we also realised that we can simplify branch information retrieval. The code that we had in workflow was written a long time ago, when the target branch was always "main" - so we had to check-out the target commit to be able to retrieve branch_defaults.py and get the branches from there. However it's already for quite some time that "pull request workflow" uses "base_ref" as the base commit, which means that in `main` it is `main` and in `v2-8-test` it is `v2-8-stable`, which means that we already have the correct `AIRFLOW_BRANCH` and the `DEFAULT_AIRFLOW_CONSTRAINTS_BRANCH` without having to check the incoming commit. Which means that we do not need to override scripts in the build-info step, we only need to check it out temporarily to fetch the incoming PR and it's parent to see what files are changed in the incoming PR. (cherry picked from commit 07fd364)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In our process, we generally do not let the scripts in the "build images" workflow to use
scripts/ci,devandactionscripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry.This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the
apache/airflowrepository branches.This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the
apache/airflowbranch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors.The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR.
As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated.
While impolementing this, we also realised that we can simplify
branch information retrieval. The code that we had in workflow
was written a long time ago, when the target branch was always
"main" - so we had to check-out the target commit to be able to
retrieve branch_defaults.py and get the branches from there. However
it's already for quite some time that "pull request workflow"
uses "base_ref" as the base commit, which means that in
mainitis
mainand inv2-8-testit isv2-8-stable, which means thatwe already have the correct
AIRFLOW_BRANCHand theDEFAULT_AIRFLOW_CONSTRAINTS_BRANCHwithout having to checkthe incoming commit. Which means that we do not need to override
scripts in the build-info step, we only need to check it out
temporarily to fetch the incoming PR and it's parent to see
what files are changed in the incoming PR.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.