This is an automated email from the ASF dual-hosted git repository.
jscheffl pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new f015a947d6b Limit secrets passed to reusable workflows (#47258)
f015a947d6b is described below
commit f015a947d6b3d356cbd0dcb1bd9bc23bdeea1ce5
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat Mar 1 23:52:22 2025 +0100
Limit secrets passed to reusable workflows (#47258)
Good practice (pointed out by zizmor) is to explicitly only pass
the needed secrets to called reusable workflows. This PR does
exactly this.
---
.github/workflows/additional-ci-image-checks.yml | 2 --
.github/workflows/ci.yml | 15 ---------------
.github/workflows/finalize-tests.yml | 2 --
.github/workflows/special-tests.yml | 6 ------
4 files changed, 25 deletions(-)
diff --git a/.github/workflows/additional-ci-image-checks.yml
b/.github/workflows/additional-ci-image-checks.yml
index a6b7bdafcb5..5b797d9bf40 100644
--- a/.github/workflows/additional-ci-image-checks.yml
+++ b/.github/workflows/additional-ci-image-checks.yml
@@ -102,7 +102,6 @@ jobs:
# This write is only given here for `push` events from "apache/airflow"
repo. It is not given for PRs
# from forks. This is to prevent malicious PRs from creating images in
the "apache/airflow" repo.
packages: write
- secrets: inherit
with:
runs-on-as-json-public: ${{ inputs.runs-on-as-json-public }}
runs-on-as-json-self-hosted: ${{ inputs.runs-on-as-json-self-hosted }}
@@ -165,7 +164,6 @@ jobs:
# permissions:
# contents: read
# packages: write
-# secrets: inherit
# with:
# platform: "linux/arm64"
# push-image: "false"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3e41f1ce880..d147a698ebc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -202,7 +202,6 @@ jobs:
# This write is only given here for `push` events from "apache/airflow"
repo. It is not given for PRs
# from forks. This is to prevent malicious PRs from creating images in
the "apache/airflow" repo.
packages: write
- secrets: inherit
with:
runs-on-as-json-public: ${{
needs.build-info.outputs.runs-on-as-json-public }}
runs-on-as-json-self-hosted: ${{
needs.build-info.outputs.runs-on-as-json-self-hosted }}
@@ -264,7 +263,6 @@ jobs:
name: "CI image checks"
needs: [build-info, build-ci-images]
uses: ./.github/workflows/ci-image-checks.yml
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
runs-on-as-json-docs-build: ${{
needs.build-info.outputs.runs-on-as-json-docs-build }}
@@ -296,7 +294,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
if: >
needs.build-info.outputs.skip-providers-tests != 'true' &&
needs.build-info.outputs.latest-versions-only != 'true'
@@ -320,7 +317,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
runs-on-as-json-public: ${{
needs.build-info.outputs.runs-on-as-json-public }}
@@ -339,7 +335,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
backend: "postgres"
@@ -366,7 +361,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
backend: "mysql"
@@ -393,7 +387,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
backend: "sqlite"
@@ -422,7 +415,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
backend: "sqlite"
@@ -450,7 +442,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
if: >
needs.build-info.outputs.run-tests == 'true' &&
(needs.build-info.outputs.canary-run == 'true' ||
@@ -480,7 +471,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-public: ${{
needs.build-info.outputs.runs-on-as-json-public }}
testable-core-integrations: ${{
needs.build-info.outputs.testable-core-integrations }}
@@ -502,7 +492,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
if: >
needs.build-info.outputs.run-tests == 'true'
with:
@@ -534,7 +523,6 @@ jobs:
# This write is only given here for `push` events from "apache/airflow"
repo. It is not given for PRs
# from forks. This is to prevent malicious PRs from creating images in
the "apache/airflow" repo.
packages: write
- secrets: inherit
with:
runs-on-as-json-public: ${{
needs.build-info.outputs.runs-on-as-json-public }}
build-type: "Regular"
@@ -578,7 +566,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
platform: "linux/amd64"
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
@@ -598,7 +585,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{
needs.build-info.outputs.runs-on-as-json-default }}
default-python-version: ${{
needs.build-info.outputs.default-python-version }}
@@ -616,7 +602,6 @@ jobs:
permissions:
contents: write
packages: write
- secrets: inherit
needs:
- build-info
- generate-constraints
diff --git a/.github/workflows/finalize-tests.yml
b/.github/workflows/finalize-tests.yml
index ac13089caf6..47db38269b3 100644
--- a/.github/workflows/finalize-tests.yml
+++ b/.github/workflows/finalize-tests.yml
@@ -139,7 +139,6 @@ jobs:
permissions:
contents: read
packages: write
- secrets: inherit
with:
runs-on-as-json-public: ${{ inputs.runs-on-as-json-public }}
runs-on-as-json-self-hosted: ${{ inputs.runs-on-as-json-self-hosted }}
@@ -163,7 +162,6 @@ jobs:
# permissions:
# contents: read
# packages: write
- # secrets: inherit
# with:
# runs-on-as-json-public: ${{ inputs.runs-on-as-json-public }}
# runs-on-as-json-self-hosted: ${{ inputs.runs-on-as-json-self-hosted }}
diff --git a/.github/workflows/special-tests.yml
b/.github/workflows/special-tests.yml
index 694212257a2..65d78b58765 100644
--- a/.github/workflows/special-tests.yml
+++ b/.github/workflows/special-tests.yml
@@ -89,7 +89,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{ inputs.runs-on-as-json-default }}
downgrade-sqlalchemy: "true"
@@ -113,7 +112,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{ inputs.runs-on-as-json-default }}
upgrade-boto: "true"
@@ -138,7 +136,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{ inputs.runs-on-as-json-default }}
downgrade-pendulum: "true"
@@ -163,7 +160,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{ inputs.runs-on-as-json-default }}
test-name: "Postgres"
@@ -187,7 +183,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{ inputs.runs-on-as-json-default }}
test-name: "Postgres"
@@ -213,7 +208,6 @@ jobs:
permissions:
contents: read
packages: read
- secrets: inherit
with:
runs-on-as-json-default: ${{ inputs.runs-on-as-json-default }}
test-name: "SystemTest"
