Skip to content

Migrate CI-time secret workflows to a deployment environment and re-enable zizmor secrets-outside-env #69466

Description

@potiuk

Follow-up to #69460. That issue (and its first PR) moves the release-management workflows to an RM-gated release deployment environment. This issue covers the remaining secret-using workflows, which are a different case: most run automatically on every PR/push (SLACK notifications, Codecov, docs-staging AWS upload) and therefore must not require release-manager approval — so they need a separate, non-gated environment purely to scope their secrets, not to restrict who runs them.

Scope

  • Define a non-gated environment (e.g. ci) for CI-time secrets and move SLACK_BOT_TOKEN, CODECOV_TOKEN, DOCS_AWS_*, CONSTRAINTS_GITHUB_REPOSITORY into it.
  • Convert the CI-time secret consumers: ci-amd.yml, ci-arm.yml, ci-image-checks.yml, ci-image-build.yml, prod-image-build.yml, push-image-cache.yml, run-unit-tests.yml, integration-system-tests.yml, ci-notification.yml, ci-duration-monitor.yml, e2e-flaky-tests-report.yml, the scheduled/upgrade-check workflows, and update-constraints-on-push-stable.yml.
  • Convert the remaining release workflows that need restructuring: registry-backfill.yml / registry-build.yml (entry job is a reusable-workflow call, so add a small gating job), and release_single_dockerhub_image.yml (scope DOCKERHUB_*).
  • Once every secret-using workflow references an environment, remove secrets-outside-env: disable: true from .github/zizmor.yml so the audit enforces the pattern going forward.

Blocked on the environments existing (ASF INFRA), same as #69460.


Drafted-by: Claude Code (Opus 4.8); reviewed by @potiuk before posting

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:CIAirflow's tests and continious integration

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions