(airflow) branch v2-9-test updated: [v2-9-test] Add .dockerignore to target workflow override (#43885) (#44104)

Sat, 16 Nov 2024 17:02:16 -0800 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v2-9-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v2-9-test by this push:
     new efce05db454 [v2-9-test] Add .dockerignore to target workflow override 
(#43885) (#44104)
efce05db454 is described below

commit efce05db45461ebf45520fb873aa880e4a22db7e
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun Nov 17 01:01:51 2024 +0000

    [v2-9-test] Add .dockerignore to target workflow override (#43885) (#44104)
    
    There is an extra layer of protection that code provided by PR
    should not be executed in the context of pull_request_target by
    running the code only inside docker container. However the
    container is build from local sources, so it could contain other
    code. We do not allow that by .dockerignore, but the .dockerignore
    should not be overrideable from the incoming PR.
    (cherry picked from commit 5d6b836c61235765bfdf7ce65f58231e948b0881)
---
 .github/actions/checkout_target_commit/action.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/actions/checkout_target_commit/action.yml 
b/.github/actions/checkout_target_commit/action.yml
index e90ae019980..e95e8b86254 100644
--- a/.github/actions/checkout_target_commit/action.yml
+++ b/.github/actions/checkout_target_commit/action.yml
@@ -65,13 +65,16 @@ runs:
         rm -rfv "dev"
         rm -rfv ".github/actions"
         rm -rfv ".github/workflows"
+        rm -v ".dockerignore" || true
         mv -v "target-airflow/scripts/ci" "scripts"
         mv -v "target-airflow/dev" "."
         mv -v "target-airflow/.github/actions" 
"target-airflow/.github/workflows" ".github"
+        mv -v "target-airflow/.dockerignore" ".dockerignore" || true
       if: inputs.pull-request-target == 'true' && inputs.is-committer-build != 
'true'
       
####################################################################################################
-      #  AFTER IT'S SAFE. THE `dev`, `scripts/ci` AND `.github/actions` ARE 
NOW COMING FROM THE
-      #  BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN TRUST THAT 
THOSE SCRIPTS ARE SAFE TO RUN.
+      #  AFTER IT'S SAFE. THE `dev`, `scripts/ci` AND `.github/actions` and 
`.dockerignore` ARE NOW COMING
+      #  FROM THE BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN 
TRUST THAT THOSE SCRIPTS ARE
+      #  SAFE TO RUN AND CODE AVAILABLE IN THE DOCKER BUILD PHASE IS 
CONTROLLED BY THE `.dockerignore`.
       #  ALL THE REST OF THE CODE COMES FROM THE PR, AND FOR EXAMPLE THE CODE 
IN THE `Dockerfile.ci` CAN
       #  BE RUN SAFELY AS PART OF DOCKER BUILD. BECAUSE IT RUNS INSIDE THE 
DOCKER CONTAINER AND IT IS
       #  ISOLATED FROM THE RUNNER.

Reply via email to