(airflow) branch v2-10-test updated: [v2-10-test] Add .dockerignore to target workflow override (#43885) (#44103)

Sat, 16 Nov 2024 18:22:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v2-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v2-10-test by this push:
     new 65ee61cf5e0 [v2-10-test] Add .dockerignore to target workflow override 
(#43885) (#44103)
65ee61cf5e0 is described below

commit 65ee61cf5e008e4471ada0fe51f8e442d427465c
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun Nov 17 00:57:33 2024 +0000

    [v2-10-test] Add .dockerignore to target workflow override (#43885) (#44103)
    
    There is an extra layer of protection that code provided by PR
    should not be executed in the context of pull_request_target by
    running the code only inside docker container. However the
    container is build from local sources, so it could contain other
    code. We do not allow that by .dockerignore, but the .dockerignore
    should not be overrideable from the incoming PR.
    (cherry picked from commit 5d6b836c61235765bfdf7ce65f58231e948b0881)
---
 .github/actions/checkout_target_commit/action.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/actions/checkout_target_commit/action.yml 
b/.github/actions/checkout_target_commit/action.yml
index e90ae019980..e95e8b86254 100644
--- a/.github/actions/checkout_target_commit/action.yml
+++ b/.github/actions/checkout_target_commit/action.yml
@@ -65,13 +65,16 @@ runs:
         rm -rfv "dev"
         rm -rfv ".github/actions"
         rm -rfv ".github/workflows"
+        rm -v ".dockerignore" || true
         mv -v "target-airflow/scripts/ci" "scripts"
         mv -v "target-airflow/dev" "."
         mv -v "target-airflow/.github/actions" 
"target-airflow/.github/workflows" ".github"
+        mv -v "target-airflow/.dockerignore" ".dockerignore" || true
       if: inputs.pull-request-target == 'true' && inputs.is-committer-build != 
'true'
       
####################################################################################################
-      #  AFTER IT'S SAFE. THE `dev`, `scripts/ci` AND `.github/actions` ARE 
NOW COMING FROM THE
-      #  BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN TRUST THAT 
THOSE SCRIPTS ARE SAFE TO RUN.
+      #  AFTER IT'S SAFE. THE `dev`, `scripts/ci` AND `.github/actions` and 
`.dockerignore` ARE NOW COMING
+      #  FROM THE BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN 
TRUST THAT THOSE SCRIPTS ARE
+      #  SAFE TO RUN AND CODE AVAILABLE IN THE DOCKER BUILD PHASE IS 
CONTROLLED BY THE `.dockerignore`.
       #  ALL THE REST OF THE CODE COMES FROM THE PR, AND FOR EXAMPLE THE CODE 
IN THE `Dockerfile.ci` CAN
       #  BE RUN SAFELY AS PART OF DOCKER BUILD. BECAUSE IT RUNS INSIDE THE 
DOCKER CONTAINER AND IT IS
       #  ISOLATED FROM THE RUNNER.

Reply via email to