This is an automated email from the ASF dual-hosted git repository. utkarsharma pushed a commit to branch sync_2-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 04a9e2d16cb7c5f8f88342a02484b84319eab70b Author: Jarek Potiuk <[email protected]> AuthorDate: Sun Nov 17 00:57:33 2024 +0000 [v2-10-test] Add .dockerignore to target workflow override (#43885) (#44103) There is an extra layer of protection that code provided by PR should not be executed in the context of pull_request_target by running the code only inside docker container. However the container is build from local sources, so it could contain other code. We do not allow that by .dockerignore, but the .dockerignore should not be overrideable from the incoming PR. (cherry picked from commit 5d6b836c61235765bfdf7ce65f58231e948b0881) --- .github/actions/checkout_target_commit/action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/checkout_target_commit/action.yml b/.github/actions/checkout_target_commit/action.yml index e90ae019980..e95e8b86254 100644 --- a/.github/actions/checkout_target_commit/action.yml +++ b/.github/actions/checkout_target_commit/action.yml @@ -65,13 +65,16 @@ runs: rm -rfv "dev" rm -rfv ".github/actions" rm -rfv ".github/workflows" + rm -v ".dockerignore" || true mv -v "target-airflow/scripts/ci" "scripts" mv -v "target-airflow/dev" "." mv -v "target-airflow/.github/actions" "target-airflow/.github/workflows" ".github" + mv -v "target-airflow/.dockerignore" ".dockerignore" || true if: inputs.pull-request-target == 'true' && inputs.is-committer-build != 'true' #################################################################################################### - # AFTER IT'S SAFE. THE `dev`, `scripts/ci` AND `.github/actions` ARE NOW COMING FROM THE - # BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN TRUST THAT THOSE SCRIPTS ARE SAFE TO RUN. + # AFTER IT'S SAFE. THE `dev`, `scripts/ci` AND `.github/actions` and `.dockerignore` ARE NOW COMING + # FROM THE BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN TRUST THAT THOSE SCRIPTS ARE + # SAFE TO RUN AND CODE AVAILABLE IN THE DOCKER BUILD PHASE IS CONTROLLED BY THE `.dockerignore`. # ALL THE REST OF THE CODE COMES FROM THE PR, AND FOR EXAMPLE THE CODE IN THE `Dockerfile.ci` CAN # BE RUN SAFELY AS PART OF DOCKER BUILD. BECAUSE IT RUNS INSIDE THE DOCKER CONTAINER AND IT IS # ISOLATED FROM THE RUNNER.
