Allow git-sync env vars to be overridden via values and loaded from Secrets

[sokratis1988]

Currently, git-sync environment variables (GIT_SYNC_REPO, GIT_SYNC_REV, GIT_SYNC_BRANCH, GITSYNC_REF, etc.) are hardcoded in the git_sync_container helper template and read from values.yaml. If a user tries to override them via dags.gitSync.env, the container ends up with duplicate entries for the same variable name.

This PR:

• Adds a git_sync_env_not_overridden helper that skips the hardcoded
  default when the same variable is provided in dags.gitSync.env,
  preventing duplicates.
• Introduces dags.gitSync.envVarsSecret to load configurable git-sync
  variables from a Kubernetes Secret via secretKeyRef (with
  optional: true), following the same pattern as credentialsSecret
  for GIT_SYNC_USERNAME / GIT_SYNC_PASSWORD.
• Extends the JSON schema in values.schema.json accordingly.

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

Generated-by: [Tool Name] following the guidelines

---

• Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
• For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
• When adding dependency, check compliance with the ASF 3rd Party License Policy.
• For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[jscheffl]

Why would you want to override the ENV if there are specific helper template entries in the chart?

Note that the full git sync mechanism will be dropped probably soon (plans will be dropped to devlist the next days). So as maintainer the motivation to add more complexity to a future legacy is a bit low.

[sokratis1988]

Why would you want to override the ENV if there are specific helper template entries in the chart?

Note that the full git sync mechanism will be dropped probably soon (plans will be dropped to devlist the next days). So as maintainer the motivation to add more complexity to a future legacy is a bit low.

In my case, I retrieve the configuration for GitSync via Azure Key Vault and install the Helm chart via FluxCD – so I have an externalSecret that I now can reference in the Airflow chart to set the GitSync variables. The current implementation only allows customisation via values.yaml. Maintenance via gitSync.env is not possible due to the duplicate error.
If you say that this feature will be removed soon, what would be the alternative? Will it still be possible to retrieve the DAG configuration via Git?

@jscheffl

[jscheffl]

Why would you want to override the ENV if there are specific helper template entries in the chart?
Note that the full git sync mechanism will be dropped probably soon (plans will be dropped to devlist the next days). So as maintainer the motivation to add more complexity to a future legacy is a bit low.

In my case, I retrieve the configuration for GitSync via Azure Key Vault and install the Helm chart via FluxCD – so I have an externalSecret that I now can reference in the Airflow chart to set the GitSync variables. The current implementation only allows customisation via values.yaml. Maintenance via gitSync.env is not possible due to the duplicate error. If you say that this feature will be removed soon, what would be the alternative? Will it still be possible to retrieve the DAG configuration via Git?

@jscheffl

Plan is to fully switch to Dag Bundles in the configuration.

[potiuk]

@sokratis1988 A few things need addressing before review — see our Pull Request quality criteria.

Issues found:

• ❌ Build documentation (spellcheck): CI image checks / Build documentation (--spellcheck-only) is failing. Run breeze build-docs --spellcheck-only locally to see which words it didn't accept, then either fix the spelling or add the term to docs/spelling_wordlist.txt if it's a legitimate technical word. See the docs-building docs.

What to do next:

• Push a fix for the spellcheck failure.
• @jscheffl asked a design question above ("Why would you want to override the ENV if there are specific helper template entries…") — please reply with the use case so the design conversation can move forward.

There is no rush — take your time and work at your own pace. We appreciate your contribution and are happy to wait for updates. If you have questions, feel free to ask on the Airflow Slack.

---

Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you.

[potiuk]

@sokratis1988 A few things need addressing before review — see our Pull Request quality criteria.

• ❌ Build docs — Failing: CI image checks / Build documentation (--spellcheck-only). See docs.

Note: Your branch is 638 commits behind main. Please rebase and push again to get up-to-date CI results.

No rush.

---

Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you.

---

Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting