You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-up to #69460. That issue (and its first PR) moves the release-management workflows to an RM-gated release deployment environment. This issue covers the remaining secret-using workflows, which are a different case: most run automatically on every PR/push (SLACK notifications, Codecov, docs-staging AWS upload) and therefore must not require release-manager approval — so they need a separate, non-gated environment purely to scope their secrets, not to restrict who runs them.
Scope
Define a non-gated environment (e.g. ci) for CI-time secrets and move SLACK_BOT_TOKEN, CODECOV_TOKEN, DOCS_AWS_*, CONSTRAINTS_GITHUB_REPOSITORY into it.
Convert the CI-time secret consumers: ci-amd.yml, ci-arm.yml, ci-image-checks.yml, ci-image-build.yml, prod-image-build.yml, push-image-cache.yml, run-unit-tests.yml, integration-system-tests.yml, ci-notification.yml, ci-duration-monitor.yml, e2e-flaky-tests-report.yml, the scheduled/upgrade-check workflows, and update-constraints-on-push-stable.yml.
Convert the remaining release workflows that need restructuring: registry-backfill.yml / registry-build.yml (entry job is a reusable-workflow call, so add a small gating job), and release_single_dockerhub_image.yml (scope DOCKERHUB_*).
Once every secret-using workflow references an environment, remove secrets-outside-env: disable: true from .github/zizmor.yml so the audit enforces the pattern going forward.
Blocked on the environments existing (ASF INFRA), same as #69460.
Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting
Follow-up to #69460. That issue (and its first PR) moves the release-management workflows to an RM-gated
releasedeployment environment. This issue covers the remaining secret-using workflows, which are a different case: most run automatically on every PR/push (SLACK notifications, Codecov, docs-staging AWS upload) and therefore must not require release-manager approval — so they need a separate, non-gated environment purely to scope their secrets, not to restrict who runs them.Scope
ci) for CI-time secrets and moveSLACK_BOT_TOKEN,CODECOV_TOKEN,DOCS_AWS_*,CONSTRAINTS_GITHUB_REPOSITORYinto it.ci-amd.yml,ci-arm.yml,ci-image-checks.yml,ci-image-build.yml,prod-image-build.yml,push-image-cache.yml,run-unit-tests.yml,integration-system-tests.yml,ci-notification.yml,ci-duration-monitor.yml,e2e-flaky-tests-report.yml, the scheduled/upgrade-check workflows, andupdate-constraints-on-push-stable.yml.registry-backfill.yml/registry-build.yml(entry job is a reusable-workflow call, so add a small gating job), andrelease_single_dockerhub_image.yml(scopeDOCKERHUB_*).secrets-outside-env: disable: truefrom.github/zizmor.ymlso the audit enforces the pattern going forward.Blocked on the environments existing (ASF INFRA), same as #69460.
Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting