Gate release image and docs publish workflows via release environment#69465
Draft
potiuk wants to merge 1 commit into
Draft
Gate release image and docs publish workflows via release environment#69465potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
Manual, release-process workflows restrict who may trigger them by duplicating a hardcoded release-manager allowlist as an `if:` condition on the first job. The list drifts across files, only gates the actor (not the secrets the workflow consumes), and is easy to get wrong. Replace those allowlists in the prod image release and docs-to-S3 publish workflows with a dedicated, RM-only `release` deployment environment referenced by the entry job. Access control and secret scoping then live in one place instead of copy-pasted handle lists. The `release` environment must be created by ASF INFRA with release managers as required reviewers, so this stays a draft until that is in place. Converting the remaining release/registry workflows and the CI-time secret consumers is tracked separately.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Manual, release-process workflows restrict who may trigger them by duplicating a hardcoded release-manager allowlist as an
if: contains(fromJSON('[...]'), github.event.sender.login)on the first job. The list drifts across files, only gates the actor (not the secrets consumed), and is easy to get wrong.This replaces those allowlists in the prod image release (
release_dockerhub_image.yml) and docs-to-S3 publish (publish-docs-to-s3.yml) workflows with a dedicated, RM-onlyreleasedeployment environment referenced by the entry job. Access control and secret scoping then live in one place.Draft because the
releaseenvironment must first be created by ASF INFRA with release managers as required reviewers. Until it exists with protection rules, a job referencing it runs ungated — so this must not merge before INFRA sets it up (the issue's open question is exactly what.asf.yamlcan express here).Deliberately not in this PR (tracked in #69460 / the follow-up):
update-constraints-on-push.yml— its manual dispatch is added in Allow manual triggering of constraints refresh workflow #69457; convert once that merges.registry-backfill.yml/registry-build.yml— their entry job is a reusable-workflow call, which can't carryenvironment:; needs a small gating-job restructure.release_single_dockerhub_image.ymlDOCKERHUB secret scoping.secrets-outside-env.Part of #69460.
Was generative AI tooling used to co-author this PR?
Generated-by: Claude Code (Opus 4.8) following the guidelines