Also just for the record (while having everyone attention to actions security) how important this whole subject of actions security is:
* yesterday GitHub released (and we are going to enable it very soon) update to Code QL to check security of Github Actions https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/ - and if you read that "apache-superset" is quoted as an important project that the new action detected issues with and prevented some serious security problems. We could be at the top of the list too (which could be good and bad at the same time) * Also recently the "Cacheract" tool: https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/ has been released - a tool that automates cache poisoning (the one that I found and protected against a year ago) when non-secure workflows are used. So yeah. That PR was **just on time**. J. On Fri, Jan 10, 2025 at 12:31 AM Pavankumar Gopidesu < gopidesupa...@gmail.com> wrote: > Everyone has done an excellent job. > > I would also vote for https://github.com/apache/airflow/pull/45266. as > it addresses a long-standing issue related to pull_request_target > and includes numerous improvements to the CI process. Great work Jarek. > > Regards, > Pavan > > > On Thu, Jan 9, 2025 at 8:33 PM Shahar Epstein <sha...@apache.org> wrote: > > > > +1 to this :) > > > > On Thu, Jan 9, 2025, 22:10 Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > It's extremely difficult to choose the PR of the month this month with > all > > > the fantastic job done by many. > > > > > > But I would like to shamelessly propose > > > https://github.com/apache/airflow/pull/45266 -> Simplify caching > > > mechanisms > > > for CI and PROD images > > > > > > After quite a few years thanks to improvements in GitHub Actions, > switching > > > to uv, and using a Github Action developed by Apache Arrow team and > > > published in shared Actions repository of ASF, and discussion in "ASF" > > > #builds > > > team we were able to finally get rid of the "pull_request_target" > > > workflow and simplify caching mechanisms we use for our images. That > was > > > not really workable before without all of those pieces combined > together, > > > but finally we could do it - and without any significant disruptions. > > > > > > It's a major improvement in security. Literally days after I merged > that, > > > we received a security report reporting a new, previously unknown way > the > > > "pull_request_target" workflow weaknesses could be exploited in > Airflow. We > > > had other mitigations in place introduced last year, so there is no > > > security impact of that one but I still need to backport it to > v2-10-test > > > (in progress) to get rid of any potential it will be exploited further > - > > > permanently. > > > > > > J. > > > > > > > > > > > > > > > On Mon, Jan 6, 2025 at 10:16 PM Briana Okyere > > > <briana.oky...@astronomer.io.invalid> wrote: > > > > > > > Happy New Year to all! > > > > > > > > It’s once again time to vote for the PR of the Month! > > > > > > > > With the help of the `get_important_pr_candidates` script in > dev/stats, > > > > we've identified the following candidates: > > > > > > > > PR #44332: AIP-84 Migrate /object/grid_data from views to FastAPI < > > > > https://github.com/apache/airflow/pull/44332> > > > > > > > > PR #44972: Swap Dag Parsing to use the TaskSDK machinery < > > > > https://github.com/apache/airflow/pull/44972> > > > > > > > > PR #44712: [AIP-86] Add Deadline Alerts table, model, and supporting > > > tests > > > > < > > > > https://github.com/apache/airflow/pull/44712> > > > > > > > > PR #45106: AIP-72: Handling task retries in task SDK + execution API > < > > > > https://github.com/apache/airflow/pull/45106> > > > > > > > > PR #44899: AIP-72: Pass context keys from API Server to Worker < > > > > https://github.com/apache/airflow/pull/44899> > > > > > > > > Please reply to this thread with your selection or offer your own > > > > nominee(s). > > > > > > > > Voting will close on Friday, January 10th at 10 AM PST. The winner(s) > > > will > > > > be featured in the next issue of the Airflow newsletter. > > > > > > > > Also, if there’s an article or event that you think should be > included in > > > > this or a future issue of the newsletter, please drop me a line at < > > > > briana.oky...@astronomer.io> > > > > > > > > -- > > > > Briana Okyere > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > For additional commands, e-mail: dev-h...@airflow.apache.org > >
