You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2021/03/23 03:25:55 UTC
[airflow] 08/34: Don't use author_association for self-hosted vs
public runner decision. (#14718)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch v2-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 035b0cbb4809b321f2f84a8517efb489a5fb0ffd
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Thu Mar 11 12:33:50 2021 +0000
Don't use author_association for self-hosted vs public runner decision. (#14718)
Using this has two draw-backs for us.
1. MEMBER applies to _anyone in the org_, not just members/commiters to
this repo
2. The value of this setting depends upon the user's "visiblity" in the
org. I.e. if they hide their membership of the org, the
author_association will show up as "CONTRIBUTOR" instead.
Both of these combined mean we should instead use an alternative list.
We can't use a secret as the `secrets.` context is not available in the runs-on
stanza, so we have to have a hard-coded list in the workflow file :( This is as
secure as the runner still checks the author against it's own list.
(cherry picked from commit 42134877467e6e5615b2c5bc20a85058b4fe9ca5)
---
.github/workflows/ci.yml | 67 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 54 insertions(+), 13 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 54f102a..eb6bc0a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,7 @@ on: # yamllint disable-line rule:truthy
branches: ['master', 'v1-10-test', 'v1-10-stable', 'v2-0-test']
env:
-
+ AIRFLOW_COMMITERS: ${{ secrets.AIRFLOW_COMMITERS }}
MOUNT_SELECTED_LOCAL_SOURCES: "false"
FORCE_ANSWER_TO_QUESTIONS: "yes"
FORCE_PULL_IMAGES: "true"
@@ -73,25 +73,57 @@ jobs:
build-info:
name: "Build info"
+ # The runs-on cannot refer to env. or secrets. context, so we have no
+ # option but to specify a hard-coded list here. This is "safe", as the list
+ # is checked again by the runner using it's own list, so a PR author cannot
+ # change this and get access to our self-hosted runners
+ #
+ # When changing this list, ensure that it is kept in sync with the
+ # configOverride parameter in AWS SSM (which is what the runner uses)
runs-on: >-
${{ (
(
github.event_name == 'push' ||
github.event_name == 'schedule' ||
- github.event.pull_request.author_association == 'OWNER' ||
- github.event.pull_request.author_association == 'MEMBER'
+ contains(fromJSON('[
+ "BasPH",
+ "Fokko",
+ "KevinYang21",
+ "XD-DENG",
+ "aijamalnk",
+ "alexvanboxel",
+ "aoen",
+ "artwr",
+ "ashb",
+ "bolkedebruin",
+ "criccomini",
+ "dimberman",
+ "feng-tao",
+ "houqp",
+ "jghoman",
+ "jmcarp",
+ "kaxil",
+ "leahecole",
+ "mik-laj",
+ "milton0825",
+ "mistercrunch",
+ "msumit",
+ "potiuk",
+ "r39132",
+ "ryanahamilton",
+ "ryw",
+ "saguziel",
+ "sekikn",
+ "turbaszek",
+ "zhongjiajie",
+ "ephraimbuddy",
+ "jhtimmins",
+ "dstandish"
+ ]'), github.actor)
) && github.repository == 'apache/airflow'
) && 'self-hosted' || 'ubuntu-20.04' }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
- RUNS_ON: ${{ (
- (
- github.event_name == 'push' ||
- github.event_name == 'schedule' ||
- github.event.pull_request.author_association == 'OWNER' ||
- github.event.pull_request.author_association == 'MEMBER'
- ) && github.repository == 'apache/airflow'
- ) && 'self-hosted' || 'ubuntu-20.04' }}
outputs:
waitForImage: ${{ steps.wait-for-image.outputs.wait-for-image }}
upgradeToNewerDependencies: ${{ steps.selective-checks.outputs.upgrade-to-newer-dependencies }}
@@ -127,10 +159,19 @@ jobs:
pullRequestLabels: ${{ steps.source-run-info.outputs.pullRequestLabels }}
runsOn: ${{ steps.set-runs-on.outputs.runsOn }}
steps:
- # Avoid having to specify the runs-on logic every time
+ # Avoid having to specify the runs-on logic every time. We use the custom
+ # env var AIRFLOW_SELF_HOSTED_RUNNER set only on our runners, but never
+ # on the public runners
- name: Set runs-on
id: set-runs-on
- run: echo "::set-output name=runsOn::$(jq -n 'env.RUNS_ON')"
+ run: |
+ echo "::set-output name=runsOn::$(jq -n '
+ if env.AIRFLOW_SELF_HOSTED_RUNNER or (["push", "schedule"] | index(env.GITHUB_EVENT_NAME)) then
+ "self-hosted"
+ else
+ "ubuntu-20.04"
+ end
+ ')"
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
with: