[GitHub] [airflow] potiuk commented on pull request #27829: Improving the release process

Tue, 22 Nov 2022 08:15:44 -0800 


potiuk commented on PR #27829:
URL: https://github.com/apache/airflow/pull/27829#issuecomment-1323919978

   > @potiuk, Concerning running this on the CI with `dry_option` and `--answer 
yes`, I think we should not. It looks risky and doesn't seem to give us 
information on whether the command is still ok. Like it just lists the commands 
that it should run without running them. I don't think it's useful considering 
that if there's any mistake on the `dry_option` or CI, we risk running the 
commands for real. The risk seems to outweigh the testing on CI
   > 
   > The thought of a mistake makes me want to exclude it from what we should 
test on the CI.
   
   Setting --dry-run for all makes no sense indeed. But I think it makes 
perfect to do all the steps except pushing the changes (this can be skipped if 
CI). There is no risk involved. The tokens we have on CI in regular job are 
read-only so there is no risk we will actually persist any changes. The local 
repo is checked out locally and wiped out after the job is finished so any 
changes to it are not persisted - from what I see just "pushing" any changes 
will have to be "dry-runed" based on CI, all the other steps can be safely 
executed (and if you try to push something or otherwise change the state of 
repo - you will see a failure because the CI job has no permissions to change 
anything other than in local copy of the workspace.
   
   Those are the defauilt permissions in the ci.yml:
   
   ```
   permissions:
     # All other permissions are set to none
     contents: read
     packages: read
   ```
   
   And in order for the job to have permission to change  anything, it has to 
be given those permissions (this is for packages but `contents: write` needs to 
be set to be able to push to the repo:
   
   ```
    build-ci-images:
       permissions:
         packages: write
   ```
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to