ci: add prek/zizmor/codeql/allowlist workflows, dependabot, .asf.yaml#5
Merged
Conversation
Bootstraps the standard ASF/security CI surface for the framework
repo, mirroring what airflow-s and apache/airflow run. The framework
had no CI of its own — the .pre-commit-config.yaml hooks defined
hooks (ruff/format/mypy/pytest for the two Python projects) but
nothing was actually invoking them on PRs.
Files added:
- .github/workflows/pre-commit.yml — runs `prek` on every PR and
push to main. Sets up Python and uv before invoking
`j178/prek-action`; uv is required because the per-project hooks
under tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/
invoke `uv run --directory ...`.
- .github/workflows/zizmor.yml — GitHub Actions security analysis
via zizmorcore/zizmor-action. Reads .zizmor.yml at the repo root.
- .github/workflows/codeql.yml — weekly + per-PR CodeQL analysis
for Python (the only hand-written language in this repo). Uses
the `security-and-quality` query suite; no security-extended
needed (the code is stdlib-only / single OAuth dep and does not
process untrusted runtime input).
- .github/workflows/asf-allowlist-check.yml — ASF infra's
allowlist-check action, scoped to PRs that touch .github/.
Catches actions that haven't been allow-listed by ASF Infra.
- .github/dependabot.yml — weekly bumps with a 7-day cooldown for
four ecosystems: github-actions (root), pre-commit (root), and
uv with a directory entry per Python project
(tools/vulnogram/generate-cve-json, tools/gmail/oauth-draft).
- .zizmor.yml — empty rule overrides, so every finding surfaces
initially. Add ignores here when accepting a known false
positive.
- .asf.yaml — repo metadata that ASF Infra picks up: description
(replacing the current incorrect "Apache airflow"), homepage,
labels, feature flags (issues/projects/discussions on, wiki off),
squash-only merge, no auto-merge, head branch deletion on merge,
and notification routing to airflow.apache.org lists (the
framework lives under the Airflow PMC umbrella for now).
Deliberately **no `protected_branches:` block** — branch
protection stays in GitHub UI for now until the project's
release/branching policy stabilises.
All actions are pinned to SHAs (matching the airflow-s convention);
versions chosen are the latest as used by airflow-s/airflow at the
time of writing.
Test plan:
- `prek` passes on the new workflow files (yaml-lint, doctoc skip,
end-of-file-fixer all green).
- `zizmor` v1.24.1 audit of the four workflow files plus
dependabot.yml: no findings.
- The actual CI runs will fire on the PR and validate the workflows
themselves end-to-end.
Generated-by: Claude Code (Claude Opus 4.7)
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
…own)
Replaces the `j178/prek-action` step in the pre-commit workflow with
a `uv sync --group dev` + `uv run prek` invocation, and adds a root
`pyproject.toml` so the framework's dependency-resolution settings
have a place to live.
Why the swap:
- `uv tool install` does not honor `[tool.uv]` settings from a
pyproject.toml in cwd, so the `exclude-newer` cooldown below would
not have applied to a `uv tool install prek` invocation.
- `uv sync --group dev` does — prek is now a declared dev
dependency of the framework root, the resolution honors the
`exclude-newer` cooldown, and the resolved version is locked in
the root `uv.lock` for reproducibility across CI runs.
Root `pyproject.toml`:
- `[project]` block declares the framework root as a (non-package)
uv-managed project. `[tool.uv] package = false` keeps uv from
trying to build a wheel from the framework root.
- `[dependency-groups] dev = ["prek>=0.3.5"]` — lower bound mirrors
`minimum_prek_version` in `.pre-commit-config.yaml`; upper bound
is enforced implicitly by the cooldown below, so the resolved
version is "the most recent prek that is at least 7 days old"
(currently 0.3.10, released 2026-04-21).
- `[tool.uv] required-version = ">=0.11.8"` pins the minimum uv
version (latest at time of writing).
- `[tool.uv] exclude-newer = "7 days"` — relative cooldown, applied
uniformly across all uv resolutions (including the per-project
resolutions for the two Python projects under `tools/`, which uv
re-resolved as a side-effect of the root settings).
- `[tool.uv] exclude-newer-package = { uv = "1 day" }` — per-package
override for `uv` itself, since the latest uv (0.11.8, released
2026-04-27) is within the 7-day window. The TODO comment marks
2026-05-05 as the date when this override becomes redundant and
can be dropped.
Workflow change:
- Drop the `actions/setup-python` step. uv brings its own Python
via `uv sync` and the per-project hooks already use `uv run
--directory ...` for their Python needs.
- Drop the `j178/prek-action` step. Replaced with `uv sync
--group dev` (resolves prek through the root pyproject.toml's
cooldown settings) followed by `uv run prek run --all-files
--show-diff-on-failure --color=always`.
Per-tool lockfile updates (`tools/gmail/oauth-draft/uv.lock`,
`tools/vulnogram/generate-cve-json/uv.lock`):
These re-resolved as a side-effect of the new root `[tool.uv]
exclude-newer` setting being inherited by the subprojects. The
version downgrades (e.g. cryptography 47.0.0 → 46.0.7, certifi
2026.4.22 → 2026.2.25) are within stable releases and all 122 tests
+ 8 lint/type-check hooks pass against the new resolution.
Generated-by: Claude Code (Claude Opus 4.7)
andreahlert
added
the
mode:platform
6 tasks
andreahlert
added a commit
to andreahlert/airflow-steward
that referenced
this pull request
May 15, 2026
- Replace SPDX with full ASF v2 license header (jbonofre) - Clarify binding audience: contributors, committers, PMC, unmodified adopters (jbonofre) - Extend apache#5 with deterministic-first execution to save tokens (potiuk) - Extend apache#6 with explicit human sign-off for outbound human communication (RussellSpitzer) - Rework apache#9 around capability floor instead of "same code on all backends", add justified-and-minimized clause, add end-to-end single-machine config requirement (RussellSpitzer) - Standardize on US English (analyze, artifact, behavior, catalog, license, specialized)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bootstraps the standard ASF / security CI surface for the framework repo. The framework had no CI of its own —
.pre-commit-config.yamldefined hooks (ruff/format/mypy/pytest for the two Python projects) but nothing was actually invoking them on PRs.Mirrors what
airflow-s/airflow-sandapache/airflowrun.Files added
.github/workflows/pre-commit.yml— runsprekon every PR and push tomain. Sets up Python anduvbefore invokingj178/prek-action;uvis required because the per-project hooks undertools/{vulnogram/generate-cve-json,gmail/oauth-draft}/invokeuv run --directory .....github/workflows/zizmor.yml— GitHub Actions security analysis viazizmorcore/zizmor-action. Reads.zizmor.ymlat the repo root..github/workflows/codeql.yml— weekly + per-PR CodeQL analysis for Python (the only hand-written language in this repo). Uses thesecurity-and-qualityquery suite; nosecurity-extendedneeded (the code is stdlib-only / single OAuth dep and does not process untrusted runtime input)..github/workflows/asf-allowlist-check.yml— ASF infra'sallowlist-checkaction, scoped to PRs that touch.github/. Catches actions that haven't been allow-listed by ASF Infra..github/dependabot.yml— weekly bumps with a 7-day cooldown for four ecosystems:github-actions(root),pre-commit(root), anduvwith a directory entry per Python project (tools/vulnogram/generate-cve-json,tools/gmail/oauth-draft)..zizmor.yml— empty rule overrides, so every finding surfaces initially. Add ignores here when accepting a known false positive..asf.yaml— repo metadata that ASF Infra picks up:airflow.apache.orglists (the framework lives under the Airflow PMC umbrella for now; revisit if/when the repo moves toapache/stewardunder a different PMC).protected_branches:block — branch protection stays in the GitHub UI for now until the project's release/branching policy stabilises.All actions are pinned to SHAs (matching the airflow-s convention); versions chosen are the latest as used by
airflow-s/airflow-s/apache/airflowat the time of writing.Test plan
prekpasses on the new workflow files locally.zizmorv1.24.1 audit of the four workflow files plusdependabot.yml: no findings.🤖 Generated with Claude Code