Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .asf.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

# https://cwiki.apache.org/confluence/display/INFRA/git+-+.asf.yaml+features
---
github:
description: "Reusable framework for handling security vulnerabilities in Apache projects — agent skills, tracker conventions, and tooling."
homepage: "https://github.com/apache/airflow-steward"
labels:
# Note that GitHub only supports <=20 labels/topics per repo! Pipeline
# will fail if you add more.
- apache
- security
- cve
- vulnerability-management
- vulnerability-disclosure
- agent-skills
- claude-code
- automation
features:
issues: true
projects: true
wiki: false
discussions: true

enabled_merge_buttons:
squash: true
merge: false
rebase: false

pull_requests:
allow_auto_merge: false
allow_update_branch: true
del_branch_on_merge: true

# No `protected_branches:` block by design — branch protections are
# configured directly in GitHub for now. Add here when the project's
# release / branching policy stabilises.

notifications:
# The framework is hosted under the Airflow PMC umbrella for now;
# routing notifications to airflow.apache.org lists matches the
# current ownership. Revisit if/when the repo moves to
# `apache/steward` under a different PMC.
jobs: jobs@airflow.apache.org
commits: commits@airflow.apache.org
issues: commits@airflow.apache.org
pullrequests: commits@airflow.apache.org
discussions: commits@airflow.apache.org
78 changes: 78 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
# 7-day cooldown so a just-released action tag has a chance to
# settle (retags, withdrawal, CI incidents on the upstream) before
# Dependabot proposes bumping to it.
cooldown:
default-days: 7
semver-major-days: 7
semver-minor-days: 7
semver-patch-days: 7
groups:
github-actions:
patterns:
- "*"

- package-ecosystem: "pre-commit"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 7
semver-minor-days: 7
semver-patch-days: 7
groups:
pre-commit-hooks:
patterns:
- "*"

- package-ecosystem: "uv"
directory: "/tools/vulnogram/generate-cve-json"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 7
semver-minor-days: 7
semver-patch-days: 7
groups:
generate-cve-json-deps:
patterns:
- "*"

- package-ecosystem: "uv"
directory: "/tools/gmail/oauth-draft"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 7
semver-minor-days: 7
semver-patch-days: 7
groups:
oauth-draft-deps:
patterns:
- "*"
34 changes: 34 additions & 0 deletions .github/workflows/asf-allowlist-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
name: "ASF Allowlist Check"
"on":
pull_request:
paths: [".github/**"]
push:
branches: [main]
paths: [".github/**"]
permissions:
contents: read
jobs:
asf-allowlist-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: apache/infrastructure-actions/allowlist-check@4e9c961f587f72b170874b6f5cd4ac15f7f26eb8 # main
65 changes: 65 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
name: "CodeQL"

on: # yamllint disable-line rule:truthy
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run weekly on Sunday at 07:13 UTC. Off-peak hour chosen so the job
# doesn't collide with Monday-morning CI surges.
- cron: "13 7 * * 0"

permissions:
contents: read

jobs:
analyze:
name: Analyze Python
runs-on: ubuntu-24.04
permissions:
# Writing security-events is required for CodeQL to upload results to
# the repository's "Security" tab. The rest stay read-only.
actions: read
contents: read
security-events: write

steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: python
# The hand-written Python in this repo lives under
# `tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/`. Both
# are stdlib-only / a single OAuth dep and do not process
# untrusted network input at runtime, so the default
# `security-and-quality` query suite is sufficient — no need
# for `security-extended`.
queries: security-and-quality

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
category: "/language:python"
54 changes: 54 additions & 0 deletions .github/workflows/pre-commit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
name: prek

on: # yamllint disable-line rule:truthy
pull_request:
push:
branches: [main]

permissions: {}

jobs:
prek:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# `uv` brings its own Python and is required by both:
# - the per-project prek hooks under
# `tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/`,
# which invoke `uv run --directory ...` for ruff / mypy /
# pytest;
# - the `uv tool install prek` step below.
# Minimum uv version is pinned in the root `pyproject.toml`
# (`[tool.uv] required-version`).
- uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
with:
enable-cache: true
# Install prek via uv (rather than via the `j178/prek-action`
# action) so the `[tool.uv] exclude-newer` cooldown in the
# root `pyproject.toml` applies to the prek install as well.
- name: Install prek
run: uv tool install prek
- name: Run prek
run: prek run --show-diff-on-failure --color=always --all-files
45 changes: 45 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
name: "GitHub Actions Security Analysis"

on: # yamllint disable-line rule:truthy
push:
branches: [main]
pull_request:
branches: [main]

permissions: {}

jobs:
zizmor:
name: "zizmor"
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
steps:
- name: "Checkout repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: "Run zizmor"
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
advanced-security: false
config: .zizmor.yml
7 changes: 7 additions & 0 deletions .zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# zizmor — GitHub Actions security analyser. Configuration overrides
# go here when a finding is a known false positive or otherwise
# accepted; the file is intentionally empty to start so that every
# finding is surfaced and reviewed.
#
# Docs: https://docs.zizmor.sh/configuration/
rules: {}
Loading
Loading