The GitHub Actions job "Tests" on airflow.git has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 00b00e00aa687b926b2ca4d764f37773e8414733 / Jarek Potiuk <[email protected]> Allow committer builds to use scripts/ci, dev and actions from the PR In our process, we generally do not let the scripts in the "build images" workflow to use `scripts/ci`, `dev` and `action` scripts to come from the PR. This is a security feature that prevent Pull Requests from forks to run code on a worker that can potentially access sensitive information - such as GITHUB_TOKEN with write access to Github Registry. This, however, causes troubles, because in order to test any changes in those scripts affecting building image, you have to close your PR from the fork and push one directly to Apache repository (there in-line build workflows are used from "Test" workflow and those PRs are safe to run, because only committers can push directly to the `apache/airflow` repository branches. This PR changes default behaviour for committer PRs. Rather than do the same as "regular" PRs, those PRs will not use scripts from the target branch, instead they will use scripts from the incoming PRs of the committers. This is equally safe as running PRs from the `apache/airflow` branch - because we have a reviewed list of committers in our code and "selective checks" job that checks it is run always in the context and with the code of the "target" branch, which means that you cannot manipulate the list of actors. The Girhub actor is retrieved from pull requests github context (event/pull_request/user/login) so it is impossible to spoof it by the incoming PR. As part of this PR - list of available selective checks and documentation of PR labels and selective checks (wrongly named as "static checks") were reviewed and updated. While impolementing this, we also realised that we can simplify branch information retrieval. The code that we had in workflow was written a long time ago, when the target branch was always "main" - so we had to check-out the target commit to be able to retrieve branch_defaults.py and get the branches from there. However it's already for quite some time that "pull request workflow" uses "base_ref" as the base commit, which means that in `main` it is `main` and in `v2-8-test` it is `v2-8-stable`, which means that we already have the correct `AIRFLOW_BRANCH` and the `DEFAULT_AIRFLOW_CONSTRAINTS_BRANCH` without having to check the incoming commit. Which means that we do not need to override scripts in the build-info step, we only need to check it out temporarily to fetch the incoming PR and it's parent to see what files are changed in the incoming PR. Report URL: https://github.com/apache/airflow/actions/runs/7687081597 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
