potiuk opened a new issue, #69466: URL: https://github.com/apache/airflow/issues/69466
Follow-up to #69460. That issue (and its first PR) moves the **release-management** workflows to an RM-gated `release` deployment environment. This issue covers the remaining secret-using workflows, which are a different case: most run **automatically on every PR/push** (SLACK notifications, Codecov, docs-staging AWS upload) and therefore **must not** require release-manager approval — so they need a separate, **non-gated** environment purely to scope their secrets, not to restrict who runs them. ### Scope - [ ] Define a non-gated environment (e.g. `ci`) for CI-time secrets and move `SLACK_BOT_TOKEN`, `CODECOV_TOKEN`, `DOCS_AWS_*`, `CONSTRAINTS_GITHUB_REPOSITORY` into it. - [ ] Convert the CI-time secret consumers: `ci-amd.yml`, `ci-arm.yml`, `ci-image-checks.yml`, `ci-image-build.yml`, `prod-image-build.yml`, `push-image-cache.yml`, `run-unit-tests.yml`, `integration-system-tests.yml`, `ci-notification.yml`, `ci-duration-monitor.yml`, `e2e-flaky-tests-report.yml`, the scheduled/upgrade-check workflows, and `update-constraints-on-push-stable.yml`. - [ ] Convert the remaining release workflows that need restructuring: `registry-backfill.yml` / `registry-build.yml` (entry job is a reusable-workflow call, so add a small gating job), and `release_single_dockerhub_image.yml` (scope `DOCKERHUB_*`). - [ ] Once **every** secret-using workflow references an environment, remove `secrets-outside-env: disable: true` from `.github/zizmor.yml` so the audit enforces the pattern going forward. Blocked on the environments existing (ASF INFRA), same as #69460. --- Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
