potiuk opened a new issue, #69460:
URL: https://github.com/apache/airflow/issues/69460

   ### Problem
   
   Manual, release-process-related workflows currently restrict who can trigger 
them by duplicating a hardcoded release-manager allowlist as an `if:` condition 
on the first job, e.g.:
   
   ```yaml
   if: contains(fromJSON('[ "ashb", "bugraoz93", "eladkal", ... ]'), 
github.event.sender.login)
   ```
   
   This pattern is spread across several workflows (prod image release, single 
prod image release, publish docs to S3, and now the constraints-refresh 
workflow — see #69457). It has real downsides:
   
   - The RM handle list drifts and must be updated in many files independently.
   - It only gates the *actor*; it does not scope the *secrets* those workflows 
consume.
   - It is easy to forget on a new workflow, or to get the `event_name` guard 
subtly wrong.
   
   ### Proposal
   
   Introduce a dedicated GitHub Actions **deployment environment** (e.g. 
`release`) and:
   
   1. Configure it — via `.asf.yaml` (rulesets / environment configuration now 
supported by ASF INFRA) — so that only release managers can run jobs that 
reference it, and scope the release/publishing secrets to that environment.
   2. Convert **all** workflows that manually dispatch release-process-related 
workflows, and **all** secret-using workflows, to reference `environment: 
release`.
   3. Remove the per-workflow `if: contains(fromJSON('[...]'), 
github.event.sender.login)` allowlists — the environment's protection rules 
become the single source of truth for "who may run this."
   
   ### Benefits
   
   - Centralized, auditable access control instead of copy-pasted handle lists.
   - Secrets scoped to the environment rather than available to any job in the 
repo.
   - New release workflows opt in with one line (`environment: release`) 
instead of re-deriving the guard.
   
   ### Scope / acceptance criteria
   
   - [ ] Confirm with ASF INFRA what `.asf.yaml` can express for environment 
protection rules / required reviewers / actor restrictions.
   - [ ] Define and configure the `release` environment (RM-only) and move 
release/publishing secrets into it.
   - [ ] Enumerate and migrate affected workflows: 
`release_dockerhub_image.yml`, `release_single_dockerhub_image.yml`, 
`publish-docs-to-s3.yml`, `update-constraints-on-push.yml`, plus any other 
secret-consuming workflows.
   - [ ] Replace the manual `if:` actor allowlists with the environment gate.
   - [ ] Document the model in the dev docs.
   
   Prompted by #69457, which had to add yet another manual RM `if:` allowlist 
that this environment-based approach would replace.
   
   ---
   Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to