potiuk opened a new issue, #69460:
URL: https://github.com/apache/airflow/issues/69460
### Problem
Manual, release-process-related workflows currently restrict who can trigger
them by duplicating a hardcoded release-manager allowlist as an `if:` condition
on the first job, e.g.:
```yaml
if: contains(fromJSON('[ "ashb", "bugraoz93", "eladkal", ... ]'),
github.event.sender.login)
```
This pattern is spread across several workflows (prod image release, single
prod image release, publish docs to S3, and now the constraints-refresh
workflow — see #69457). It has real downsides:
- The RM handle list drifts and must be updated in many files independently.
- It only gates the *actor*; it does not scope the *secrets* those workflows
consume.
- It is easy to forget on a new workflow, or to get the `event_name` guard
subtly wrong.
### Proposal
Introduce a dedicated GitHub Actions **deployment environment** (e.g.
`release`) and:
1. Configure it — via `.asf.yaml` (rulesets / environment configuration now
supported by ASF INFRA) — so that only release managers can run jobs that
reference it, and scope the release/publishing secrets to that environment.
2. Convert **all** workflows that manually dispatch release-process-related
workflows, and **all** secret-using workflows, to reference `environment:
release`.
3. Remove the per-workflow `if: contains(fromJSON('[...]'),
github.event.sender.login)` allowlists — the environment's protection rules
become the single source of truth for "who may run this."
### Benefits
- Centralized, auditable access control instead of copy-pasted handle lists.
- Secrets scoped to the environment rather than available to any job in the
repo.
- New release workflows opt in with one line (`environment: release`)
instead of re-deriving the guard.
### Scope / acceptance criteria
- [ ] Confirm with ASF INFRA what `.asf.yaml` can express for environment
protection rules / required reviewers / actor restrictions.
- [ ] Define and configure the `release` environment (RM-only) and move
release/publishing secrets into it.
- [ ] Enumerate and migrate affected workflows:
`release_dockerhub_image.yml`, `release_single_dockerhub_image.yml`,
`publish-docs-to-s3.yml`, `update-constraints-on-push.yml`, plus any other
secret-consuming workflows.
- [ ] Replace the manual `if:` actor allowlists with the environment gate.
- [ ] Document the model in the dev docs.
Prompted by #69457, which had to add yet another manual RM `if:` allowlist
that this environment-based approach would replace.
---
Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]