potiuk commented on PR #35739: URL: https://github.com/apache/airflow/pull/35739#issuecomment-1818751144
cc: @ephraimbuddy - I would love that one to be merged before 2.8.0 cut-off as it finally closes some of the potential security loops we had in our release process and potential ways how our package could be potentially modified at release time - would be great if you can also see if it works nicely for you when you generate packages in release process - it changes slightly the way where airflow packages are generated - previously they were generated: * static assets were generated in local pre-commit prepared environment * the airflow packages were generated inside Breeze CI image This change implements a bit different execution environment for release preparation: * static assets were generated in local pre-commit prepared environment (for performance reason) but on Linux (and I think I will also add flag for release manager to run it also on MacOS even if it is slower) - in a separate official node image * the airflow packages is built in a separate Docker container that is much smaller and faster and always locally built without using Breeze CI image (It is just Python official image + installed git + wheel + pip + setuptools + rich for diagnostics) The change allows to avoid some (rather complex and difficult to pull of) scenarios where (breaking some other things) malicious users could influence the content of prepared packages. So it would be great to get that in for 2.8.0 at the moment of branch cut-off -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
