You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2021/03/23 03:25:55 UTC

[airflow] 08/34: Don't use author_association for self-hosted vs public runner decision. (#14718)

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v2-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit 035b0cbb4809b321f2f84a8517efb489a5fb0ffd
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Thu Mar 11 12:33:50 2021 +0000

    Don't use author_association for self-hosted vs public runner decision. (#14718)
    
    Using this has two draw-backs for us.
    
    1. MEMBER applies to _anyone in the org_, not just members/commiters to
       this repo
    2. The value of this setting depends upon the user's "visiblity" in the
       org. I.e. if they hide their membership of the org, the
       author_association will show up as "CONTRIBUTOR" instead.
    
    Both of these combined mean we should instead use an alternative list.
    
    We can't use a secret as the `secrets.` context is not available in the runs-on
    stanza, so we have to have a hard-coded list in the workflow file :( This is as
    secure as the runner still checks the author against it's own list.
    
    (cherry picked from commit 42134877467e6e5615b2c5bc20a85058b4fe9ca5)
---
 .github/workflows/ci.yml | 67 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 54 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 54f102a..eb6bc0a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ on:  # yamllint disable-line rule:truthy
     branches: ['master', 'v1-10-test', 'v1-10-stable', 'v2-0-test']
 
 env:
-
+  AIRFLOW_COMMITERS: ${{ secrets.AIRFLOW_COMMITERS }}
   MOUNT_SELECTED_LOCAL_SOURCES: "false"
   FORCE_ANSWER_TO_QUESTIONS: "yes"
   FORCE_PULL_IMAGES: "true"
@@ -73,25 +73,57 @@ jobs:
 
   build-info:
     name: "Build info"
+    # The runs-on cannot refer to env. or secrets. context, so we have no
+    # option but to specify a hard-coded list here. This is "safe", as the list
+    # is checked again by the runner using it's own list, so a PR author cannot
+    # change this and get access to our self-hosted runners
+    #
+    # When changing this list, ensure that it is kept in sync with the
+    # configOverride parameter in AWS SSM (which is what the runner uses)
     runs-on: >-
       ${{ (
         (
           github.event_name == 'push' ||
           github.event_name == 'schedule' ||
-          github.event.pull_request.author_association == 'OWNER' ||
-          github.event.pull_request.author_association == 'MEMBER'
+          contains(fromJSON('[
+            "BasPH",
+            "Fokko",
+            "KevinYang21",
+            "XD-DENG",
+            "aijamalnk",
+            "alexvanboxel",
+            "aoen",
+            "artwr",
+            "ashb",
+            "bolkedebruin",
+            "criccomini",
+            "dimberman",
+            "feng-tao",
+            "houqp",
+            "jghoman",
+            "jmcarp",
+            "kaxil",
+            "leahecole",
+            "mik-laj",
+            "milton0825",
+            "mistercrunch",
+            "msumit",
+            "potiuk",
+            "r39132",
+            "ryanahamilton",
+            "ryw",
+            "saguziel",
+            "sekikn",
+            "turbaszek",
+            "zhongjiajie",
+            "ephraimbuddy",
+            "jhtimmins",
+            "dstandish"
+          ]'), github.actor)
         ) && github.repository == 'apache/airflow'
       ) && 'self-hosted' || 'ubuntu-20.04' }}
     env:
       GITHUB_CONTEXT: ${{ toJson(github) }}
-      RUNS_ON: ${{ (
-          (
-            github.event_name == 'push' ||
-            github.event_name == 'schedule' ||
-            github.event.pull_request.author_association == 'OWNER' ||
-            github.event.pull_request.author_association == 'MEMBER'
-          ) && github.repository == 'apache/airflow'
-        ) && 'self-hosted' || 'ubuntu-20.04' }}
     outputs:
       waitForImage: ${{ steps.wait-for-image.outputs.wait-for-image }}
       upgradeToNewerDependencies: ${{ steps.selective-checks.outputs.upgrade-to-newer-dependencies }}
@@ -127,10 +159,19 @@ jobs:
       pullRequestLabels: ${{ steps.source-run-info.outputs.pullRequestLabels }}
       runsOn: ${{ steps.set-runs-on.outputs.runsOn }}
     steps:
-      # Avoid having to specify the runs-on logic every time
+      # Avoid having to specify the runs-on logic every time. We use the custom
+      # env var AIRFLOW_SELF_HOSTED_RUNNER set only on our runners, but never
+      # on the public runners
       - name: Set runs-on
         id: set-runs-on
-        run: echo "::set-output name=runsOn::$(jq -n 'env.RUNS_ON')"
+        run: |
+          echo "::set-output name=runsOn::$(jq -n '
+            if env.AIRFLOW_SELF_HOSTED_RUNNER or (["push", "schedule"] | index(env.GITHUB_EVENT_NAME)) then
+              "self-hosted"
+            else
+              "ubuntu-20.04"
+            end
+          ')"
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
         uses: actions/checkout@v2
         with: