potiuk opened a new pull request, #5:
URL: https://github.com/apache/airflow-steward/pull/5
## Summary
Bootstraps the standard ASF / security CI surface for the framework repo.
The framework had no CI of its own — `.pre-commit-config.yaml` defined hooks
(ruff/format/mypy/pytest for the two Python projects) but nothing was actually
invoking them on PRs.
Mirrors what `airflow-s/airflow-s` and `apache/airflow` run.
## Files added
- **`.github/workflows/pre-commit.yml`** — runs `prek` on every PR and push
to `main`. Sets up Python and `uv` before invoking `j178/prek-action`; `uv` is
required because the per-project hooks under
`tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/` invoke `uv run
--directory ...`.
- **`.github/workflows/zizmor.yml`** — GitHub Actions security analysis via
`zizmorcore/zizmor-action`. Reads `.zizmor.yml` at the repo root.
- **`.github/workflows/codeql.yml`** — weekly + per-PR CodeQL analysis for
Python (the only hand-written language in this repo). Uses the
`security-and-quality` query suite; no `security-extended` needed (the code is
stdlib-only / single OAuth dep and does not process untrusted runtime input).
- **`.github/workflows/asf-allowlist-check.yml`** — ASF infra's
`allowlist-check` action, scoped to PRs that touch `.github/`. Catches actions
that haven't been allow-listed by ASF Infra.
- **`.github/dependabot.yml`** — weekly bumps with a 7-day cooldown for four
ecosystems: `github-actions` (root), `pre-commit` (root), and `uv` with a
directory entry per Python project (`tools/vulnogram/generate-cve-json`,
`tools/gmail/oauth-draft`).
- **`.zizmor.yml`** — empty rule overrides, so every finding surfaces
initially. Add ignores here when accepting a known false positive.
- **`.asf.yaml`** — repo metadata that ASF Infra picks up:
- Description (replacing the current incorrect "Apache airflow") and
homepage.
- Labels (8 generic, room for ~12 more).
- Feature flags: issues/projects/discussions on, wiki off.
- Squash-only merge, no auto-merge, head branch deletion on merge.
- Notification routing to `airflow.apache.org` lists (the framework lives
under the Airflow PMC umbrella for now; revisit if/when the repo moves to
`apache/steward` under a different PMC).
- **Deliberately no `protected_branches:` block** — branch protection
stays in the GitHub UI for now until the project's release/branching policy
stabilises.
All actions are pinned to SHAs (matching the airflow-s convention); versions
chosen are the latest as used by `airflow-s/airflow-s` / `apache/airflow` at
the time of writing.
## Test plan
- ✅ `prek` passes on the new workflow files locally.
- ✅ `zizmor` v1.24.1 audit of the four workflow files plus `dependabot.yml`:
no findings.
- The actual CI runs will fire on this PR and validate the workflows
themselves end-to-end.
- After merge, ASF Infra's asf.yaml processor will pick up the description /
labels / notification config (allow ~minutes for the GitHub repo metadata to
update).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
