The GitHub Actions job "Tests (AMD)" on airflow.git/enforce-ti-self-scope-on-task-reschedules-start-date has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: ebe21d75d03cb23f96fe3bbf3413022735e58d4a / Jarek Potiuk <[email protected]> Enforce ti:self scope on /execution/task-reschedules/{ti}/start_date Three sibling per-task-instance routers under `airflow.api_fastapi.execution_api.routes` opt into the `ti:self` JWT scope, which verifies that the token's `sub` claim matches the `{task_instance_id}` path parameter, preventing a worker from accessing another task's endpoints: `task_instances.py`, `hitl.py`, and `task_state.py`. The `task_reschedules.py` router for `GET /execution/task-reschedules/{task_instance_id}/start_date` was missing that scope, so any authenticated worker could read the first reschedule timestamp of any task instance in the deployment by passing that task instance's UUID in the URL path. This change adds the standard `dependencies=[Security(require_auth, scopes=["ti:self"])]` to the router declaration — the same pattern the three sibling routers already use. One new regression test under `TestGetRescheduleStartDate` exercises the mismatched-subject path and asserts 403. Reference: airflow-s/airflow-s#406 Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions Report URL: https://github.com/apache/airflow/actions/runs/26544017930 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
