productionize community-ci workflow

[alafanechere]

Closes https://github.com/airbytehq/airbyte-internal-issues/issues/7315

This PR introduces a new community_ci.yml workflow to run connectors tests and format on fork PR.

How can this safely work as forks contain untrusted code ⁉️

• We use pull_request_target triggers: it means the worfklow logic is the one hosted on the target branch. The fork can't alter the CI behavior. We can't use the pull_request event because: it does not provide access to secrets on forks and the workflow logic could be altered by the contribution.
• We use GitHub environments with protection rule (community_ci): the execution of the test and format jobs is conditioned by a human approval from a pool of selected Airbyters. A human review should identify shady activity like secret extraction or resource exhaustion. If the code is deemed safe the Airbyte reviewer can approve the deployment to the environment, which would run CI jobs.
• Github runners are ephemeral so there's no way of accessing artifacts produced by a previous job. We moreover created dedicated runners for community use cases.

Changes

• I modified the community_ci.yml workflow from my spike to clean it up and make it work. This is the first thing you should review.
• I made airbyte-ci accept a --git-repo-url option. This is to enable it to clone forked Airbyte repo to compute the list of modified files.
• I changed the install-airbyte-ci.yml action to always install the binary when we're on a fork. This will prevent accidentally installing airbyte-ci from source if something shady is introduced to this tool.
• I modified the other existing "non fork" workflow to early exit or skip if they're triggered by a fork. This should guarantee mutual exclusion of what's running in community_ci.yml and the other non fork workflows.

Why did you introduce a new workflow and not change the logic of the existing ones ⁉️

I felt that introducing a new workflow dedicated to Community CI was simpler to colocate all the specific (and a bit more complex) logic related to running CI on forks.
If we wanted to modify the other workflows to support running on forks it would require changing their trigger from pull_request to pull_request_target, which has some drawbacks. It would also introduce a lot more conditional expressions in workflows to check whether we're on a fork.

We can consider streamlining workflows to work on fork / non fork in the future, but I first want to unblock the community review use case in a simple and atomic manner.

Demo

Test and format correctly ran in this workflow execution on this fork.

When a push happens on the PR Github displays this button to start the approval flow:

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
airbyte-docs	⬜️ Ignored (Inspect)	Visit Preview		Apr 25, 2024 8:26am

[alafanechere]

• productionize community-ci workflow #37404 👈
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @alafanechere and the rest of your teammates on Graphite

[ellipsis-dev]

Your free trial has expired. To continue using Ellipsis, sign up at https://app.ellipsis.dev for $20/developer/month. If you have any questions, reach us at help@ellipsis.dev

[alafanechere]

This worfklow was not used anywhere

[aaronsteers]

Regarding security, @natikgadzhi and @alafanechere , are you both confident enough in the security profile here that we can relax the GitHub setting to let workflows run freely on fork PRs? We just relaxed on PyAirbyte because this enables users constant feedback on those non-privileged workflows like lint, format, static code tests and non-cred-tests like unit tests.

Before bringing in any pull_request_target workflows, we should carefully consider if this limits our options to enable more frequent checks for users. (Today all workflows require approval, even though there is zero security risk. And we're adding a new security vulnerability here that we need to mitigate ourselves.)

[alafanechere]

Regarding security, @natikgadzhi and @alafanechere , are you both confident enough in the security profile here that we can relax the GitHub setting to let workflows run freely on fork PRs?

No I am not.

• A. Anytime there's secret access there's a risk for secret exfiltration as we execute untrusted code.
• B. Anytime we execute untrusted code there's a risk for resource abuse.

B can be easily mitigated with carefully picked timeouts and concurrency control.
A would require a rework of the worfklows and airbyte-ci to not require secrets for non-cred-tests. We currently run one single airbyte-ci command which runs all tests, so we pass secrets to it. We could rework the workflow for more granular execution. This is something I described in details in Phase 2 of my tech spec

In any case I believe this should be a follow up effort. We could start by not requiring secrets for format as it's a smaller lift compared to running unit tests automatically.

[alafanechere]

Before bringing in any pull_request_target workflows, we should carefully consider if this limits our options to enable more frequent checks for users.

The pull_request_target trigger does not limit the checks frequency. It has the same triggering logic as pull_requests. What can throttle frequent checks is the use of Github environment with protection which requires human approval.

[natikgadzhi]

Pre-approving to get this moving, caveated on addressing feedback —I hope to have this in soon so we can then cleanup formatting and get @marcosmarxm to be very happy ;)

[natikgadzhi]

How does it work without Python tho!? TIL

[natikgadzhi]

Nit: check if new version of checkout is available. V4 I think?

[natikgadzhi]

I assume this needs to change before we merge?

[natikgadzhi]

Ah, so we want to ensure that they ran new versions of tests and such?

[natikgadzhi]

Why change the token here? How is it related? Is this one specific to community ci?

[alafanechere]

DAGGER_CLOUD_TOKEN_2 is the latest version of this secrets which works.
The previous token stopped working when we moved to GHA runners and I don't know why.
I kept both tokens as we did progressive migration from self hosted to GHA runners.

[natikgadzhi]

Can you explain this change a bit? Did we rename the variable before but didn't rename this particular input?

[alafanechere]

I'm just aligning the inputs to what is currently declared in the format_check.yml workflow.

[natikgadzhi]

Do we remove this in favor of @aaronsteers's approach to formatting, given we'll clean that one up?

[sentry-io]

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

• ‼️ LiveError: Only one live display may be active at once pipelines.helpers.git in get_modified_files_in_... View Issue
• ‼️ LiveError: Only one live display may be active at once rich.console in set_live View Issue
• ‼️ ExecError: process "git checkout --track origin/04-26-bug_airbyte-ci_ensure_we_always_track_an_explicit_bran... pipelines.dagger.containers.git in checked_out_... View Issue

_{Did you find this useful? React with a 👍 or 👎}