Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/additional-ci-image-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv to build the image (true/false)"
required: true
type: string
permissions:
contents: read
jobs:
# Push early BuildX cache to GitHub Registry in Apache repository, This cache does not wait for all the
# tests to complete - it is run very early in the build process for "main" merges in order to refresh
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/additional-prod-image-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
permissions:
contents: read
jobs:
prod-image-extra-checks-main:
name: PROD image extra checks (main)
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/automatic-backport.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ on: # yamllint disable-line rule:truthy
push:
branches:
- main

permissions:
contents: read
jobs:
get-pr-info:
name: "Get PR information"
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/backport-cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ on: # yamllint disable-line rule:truthy
type: string

permissions:
# Those permissions are only active for workflow dispatch (only committers can trigger it) and workflow call
# Which is triggered automatically by "automatic-backport" push workflow (only when merging by committer)
# Branch protection prevents from pushing to the "code" branches
contents: write
pull-requests: write
jobs:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/basic-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv in the image"
required: true
type: string
permissions:
contents: read
jobs:
run-breeze-tests:
timeout-minutes: 10
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/ci-image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,8 @@ on: # yamllint disable-line rule:truthy
description: "Disable airflow repo cache read from main."
required: true
type: string
permissions:
contents: read
jobs:
build-ci-images:
strategy:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/ci-image-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv to build the image (true/false)"
required: true
type: string

permissions:
contents: read
jobs:
install-pre-commit:
timeout-minutes: 5
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/finalize-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to debug resources or not (true/false)"
required: true
type: string
permissions:
contents: read
jobs:
update-constraints:
runs-on: ${{ fromJSON(inputs.runs-on-as-json-public) }}
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/generate-constraints.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uvloop (true/false)"
required: true
type: string
permissions:
# This permission is only active for "canary" builds and PRs from the main repo
# All fork PRs are not allowed to have write permissions and this one is automatically downgraded to read
# Branch protection also prevents from pushing to the "code" branches so we can safely use this one to
# Push constraints to "constraints" branches which are non-code branches and are not protected
contents: write
jobs:
generate-constraints:
permissions:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/helm-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uvloop (true/false)"
required: true
type: string
permissions:
contents: read
jobs:
tests-helm:
timeout-minutes: 80
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/integration-system-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
permissions:
contents: read
jobs:
tests-core-integration:
timeout-minutes: 130
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/k8s-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to debug resources"
required: true
type: string
permissions:
contents: read
jobs:
tests-kubernetes:
timeout-minutes: 60
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/news-fragment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ name: CI
on: # yamllint disable-line rule:truthy
pull_request:
types: [labeled, unlabeled, opened, reopened, synchronize]

permissions:
contents: read
jobs:
check-news-fragment:
name: Check News Fragment
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/prod-image-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,9 @@ on: # yamllint disable-line rule:truthy
description: "Whether this is a prod-image build (true/false)"
required: true
type: string
permissions:
contents: read
jobs:

build-prod-packages:
name: "Build Airflow and provider packages"
timeout-minutes: 10
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/prod-image-extra-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy
description: "Disable airflow repo cache read from main."
required: true
type: string
permissions:
contents: read
jobs:
myssql-client-image:
uses: ./.github/workflows/prod-image-build.yml
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/push-image-cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ on: # yamllint disable-line rule:truthy
description: "Disable airflow repo cache read from main."
required: true
type: string
permissions:
contents: read
jobs:
push-ci-image-cache:
name: "Push CI ${{ inputs.cache-type }}:${{ matrix.python }} image cache "
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/run-unit-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
permissions:
contents: read
jobs:
tests:
timeout-minutes: 120
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/special-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv or not (true/false)"
required: true
type: string

permissions:
contents: read
jobs:
tests-min-sqlalchemy:
name: "Min SQLAlchemy test"
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/task-sdk-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether this is a canary run (true/false)"
required: true
type: string

permissions:
contents: read
jobs:
task-sdk-tests:
timeout-minutes: 80
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test-provider-packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
permissions:
contents: read
jobs:
prepare-install-verify-provider-packages:
timeout-minutes: 80
Expand Down