Re: [PR] Introduce Sigstore verification for python source packages in place of GPG [airflow]

Thu, 12 Mar 2026 21:58:03 -0700 


Dev-iL commented on PR #63345:
URL: https://github.com/apache/airflow/pull/63345#issuecomment-4052681189

   > Nope. We can merge it when static checks are solved :)
   
   Hmm... those didn't exist a few rebases ago. Regardless, Claude wants to 
ignore all zizmor violations
   
   
   >     The proper fix (per zizmor docs) is to add a GitHub Actions 
environment: to each job that uses secrets. For example:                        
                  
   >                                                                            
                                                                                
            
   >     build-ci-images:                                                       
                                                                                
            
   >       environment: ci  # dedicated environment with secrets configured     
                                                                                
          
   >       ...                                                                  
                                                                                
            
   >                                                                            
                                                                                
            
   >     This requires the secrets to be configured as environment secrets (not 
just repository secrets) in the GitHub repo settings under Settings > 
Environments.         
   > 
   >     However, for a large open-source project like Apache Airflow:          
                                                                                
            
   >                                                                            
                                                                                
            
   >     1. GITHUB_TOKEN and CODECOV_TOKEN are typically repo-level secrets 
that don't need environment gating — zizmor flags them but the risk is low.     
                
   >     2. CONSTRAINTS_GITHUB_REPOSITORY is just a repo name override, not a 
real secret.                                                                    
              
   >     3. DOCS_AWS_* and DOCKERHUB_* are the ones where environment 
protection would genuinely add value, but migrating them requires repo admin 
changes.                 
   >                                                                            
                                                                                
            
   >     Adding environments also introduces approval gates/delays unless 
configured as auto-approved, which could slow down CI significantly.            
                  
   >                                                                            
                                                                                
            
   >     So the inline # zizmor: ignore[secrets-inherit] suppression is the 
pragmatic and common approach for these cases — especially for secrets like 
CODECOV_TOKEN and   
   >     CONSTRAINTS_GITHUB_REPOSITORY where the risk model doesn't warrant 
environment isolation. This is exactly how the codebase already handles 
excessive-permissions
   >     warnings (see milestone-tag-assistant.yml).
   > 
   >     If you'd prefer the environment-based fix for the truly sensitive 
secrets (AWS, DockerHub), that's a repo admin change outside of code — and 
you'd still likely
   >     suppress the low-risk ones like CODECOV_TOKEN.
   > 
   
   So... Ignore or admin change?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to