This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch v2-0-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 035b0cbb4809b321f2f84a8517efb489a5fb0ffd Author: Ash Berlin-Taylor <ash_git...@firemirror.com> AuthorDate: Thu Mar 11 12:33:50 2021 +0000 Don't use author_association for self-hosted vs public runner decision. (#14718) Using this has two draw-backs for us. 1. MEMBER applies to _anyone in the org_, not just members/commiters to this repo 2. The value of this setting depends upon the user's "visiblity" in the org. I.e. if they hide their membership of the org, the author_association will show up as "CONTRIBUTOR" instead. Both of these combined mean we should instead use an alternative list. We can't use a secret as the `secrets.` context is not available in the runs-on stanza, so we have to have a hard-coded list in the workflow file :( This is as secure as the runner still checks the author against it's own list. (cherry picked from commit 42134877467e6e5615b2c5bc20a85058b4fe9ca5) --- .github/workflows/ci.yml | 67 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 54 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 54f102a..eb6bc0a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ on: # yamllint disable-line rule:truthy branches: ['master', 'v1-10-test', 'v1-10-stable', 'v2-0-test'] env: - + AIRFLOW_COMMITERS: ${{ secrets.AIRFLOW_COMMITERS }} MOUNT_SELECTED_LOCAL_SOURCES: "false" FORCE_ANSWER_TO_QUESTIONS: "yes" FORCE_PULL_IMAGES: "true" @@ -73,25 +73,57 @@ jobs: build-info: name: "Build info" + # The runs-on cannot refer to env. or secrets. context, so we have no + # option but to specify a hard-coded list here. This is "safe", as the list + # is checked again by the runner using it's own list, so a PR author cannot + # change this and get access to our self-hosted runners + # + # When changing this list, ensure that it is kept in sync with the + # configOverride parameter in AWS SSM (which is what the runner uses) runs-on: >- ${{ ( ( github.event_name == 'push' || github.event_name == 'schedule' || - github.event.pull_request.author_association == 'OWNER' || - github.event.pull_request.author_association == 'MEMBER' + contains(fromJSON('[ + "BasPH", + "Fokko", + "KevinYang21", + "XD-DENG", + "aijamalnk", + "alexvanboxel", + "aoen", + "artwr", + "ashb", + "bolkedebruin", + "criccomini", + "dimberman", + "feng-tao", + "houqp", + "jghoman", + "jmcarp", + "kaxil", + "leahecole", + "mik-laj", + "milton0825", + "mistercrunch", + "msumit", + "potiuk", + "r39132", + "ryanahamilton", + "ryw", + "saguziel", + "sekikn", + "turbaszek", + "zhongjiajie", + "ephraimbuddy", + "jhtimmins", + "dstandish" + ]'), github.actor) ) && github.repository == 'apache/airflow' ) && 'self-hosted' || 'ubuntu-20.04' }} env: GITHUB_CONTEXT: ${{ toJson(github) }} - RUNS_ON: ${{ ( - ( - github.event_name == 'push' || - github.event_name == 'schedule' || - github.event.pull_request.author_association == 'OWNER' || - github.event.pull_request.author_association == 'MEMBER' - ) && github.repository == 'apache/airflow' - ) && 'self-hosted' || 'ubuntu-20.04' }} outputs: waitForImage: ${{ steps.wait-for-image.outputs.wait-for-image }} upgradeToNewerDependencies: ${{ steps.selective-checks.outputs.upgrade-to-newer-dependencies }} @@ -127,10 +159,19 @@ jobs: pullRequestLabels: ${{ steps.source-run-info.outputs.pullRequestLabels }} runsOn: ${{ steps.set-runs-on.outputs.runsOn }} steps: - # Avoid having to specify the runs-on logic every time + # Avoid having to specify the runs-on logic every time. We use the custom + # env var AIRFLOW_SELF_HOSTED_RUNNER set only on our runners, but never + # on the public runners - name: Set runs-on id: set-runs-on - run: echo "::set-output name=runsOn::$(jq -n 'env.RUNS_ON')" + run: | + echo "::set-output name=runsOn::$(jq -n ' + if env.AIRFLOW_SELF_HOSTED_RUNNER or (["push", "schedule"] | index(env.GITHUB_EVENT_NAME)) then + "self-hosted" + else + "ubuntu-20.04" + end + ')" - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 with: