hussein-awala commented on PR #34701: URL: https://github.com/apache/airflow/pull/34701#issuecomment-1751668317
> > Some CI jobs load the scripts files from main ( > > @hussein-awala (and others) for the future - the way for committers to test such a PR is to make PR from "airflow" repo, not from a fork. Maintainers can push branches directly to `apache/airflow` repo and PRs from `main` are build (including building the image) using the scripts coming from the branch that maintainer pushed to the repo. > > That's this flow: https://github.com/apache/airflow/blob/main/CI_DIAGRAMS.md#pull-request-flow-from-apacheairflow-repo > > And for the record - this whole setup is done in order to achieve security - users from their fork should not be able to modify code that is run in "Github Actions" - because this code can be harmful and get access to GITHUB_TOKEN, write permissions and other sensitive data (secrets). > > This is also one of the requirements by the ASF to enable 'run workflows" automatically for forks for external contributors - otherwise we would have to manually approve every single workflow run. Thank you @potiuk for the clarification, this is very interesting. I see the CI fails in #34775 although it cherry-pick this commit and source branch is in Apache repository, do you have any idea? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org