potiuk commented on PR #27829:
URL: https://github.com/apache/airflow/pull/27829#issuecomment-1323919978
> @potiuk, Concerning running this on the CI with `dry_option` and `--answer
yes`, I think we should not. It looks risky and doesn't seem to give us
information on whether the command is still ok. Like it just lists the commands
that it should run without running them. I don't think it's useful considering
that if there's any mistake on the `dry_option` or CI, we risk running the
commands for real. The risk seems to outweigh the testing on CI
>
> The thought of a mistake makes me want to exclude it from what we should
test on the CI.
Setting --dry-run for all makes no sense indeed. But I think it makes
perfect to do all the steps except pushing the changes (this can be skipped if
CI). There is no risk involved. The tokens we have on CI in regular job are
read-only so there is no risk we will actually persist any changes. The local
repo is checked out locally and wiped out after the job is finished so any
changes to it are not persisted - from what I see just "pushing" any changes
will have to be "dry-runed" based on CI, all the other steps can be safely
executed (and if you try to push something or otherwise change the state of
repo - you will see a failure because the CI job has no permissions to change
anything other than in local copy of the workspace.
Those are the defauilt permissions in the ci.yml:
```
permissions:
# All other permissions are set to none
contents: read
packages: read
```
And in order for the job to have permission to change anything, it has to
be given those permissions (this is for packages but `contents: write` needs to
be set to be able to push to the repo:
```
build-ci-images:
permissions:
packages: write
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]