potiuk opened a new issue, #69466:
URL: https://github.com/apache/airflow/issues/69466

   Follow-up to #69460. That issue (and its first PR) moves the 
**release-management** workflows to an RM-gated `release` deployment 
environment. This issue covers the remaining secret-using workflows, which are 
a different case: most run **automatically on every PR/push** (SLACK 
notifications, Codecov, docs-staging AWS upload) and therefore **must not** 
require release-manager approval — so they need a separate, **non-gated** 
environment purely to scope their secrets, not to restrict who runs them.
   
   ### Scope
   
   - [ ] Define a non-gated environment (e.g. `ci`) for CI-time secrets and 
move `SLACK_BOT_TOKEN`, `CODECOV_TOKEN`, `DOCS_AWS_*`, 
`CONSTRAINTS_GITHUB_REPOSITORY` into it.
   - [ ] Convert the CI-time secret consumers: `ci-amd.yml`, `ci-arm.yml`, 
`ci-image-checks.yml`, `ci-image-build.yml`, `prod-image-build.yml`, 
`push-image-cache.yml`, `run-unit-tests.yml`, `integration-system-tests.yml`, 
`ci-notification.yml`, `ci-duration-monitor.yml`, `e2e-flaky-tests-report.yml`, 
the scheduled/upgrade-check workflows, and 
`update-constraints-on-push-stable.yml`.
   - [ ] Convert the remaining release workflows that need restructuring: 
`registry-backfill.yml` / `registry-build.yml` (entry job is a 
reusable-workflow call, so add a small gating job), and 
`release_single_dockerhub_image.yml` (scope `DOCKERHUB_*`).
   - [ ] Once **every** secret-using workflow references an environment, remove 
`secrets-outside-env: disable: true` from `.github/zizmor.yml` so the audit 
enforces the pattern going forward.
   
   Blocked on the environments existing (ASF INFRA), same as #69460.
   
   ---
   Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to