Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Files excluded from the source release artefact.
# `git archive` (used by release-rc-cut / release-build.md to build
# apache-magpie-<version>-source.zip) honours `export-ignore`, so the
# paths below are kept out of the signed source .zip that the [VOTE]
# votes on. Keep this list to VCS/CI/editor metadata — never source.

.gitattributes export-ignore
.gitignore export-ignore
.github/ export-ignore
.idea/ export-ignore
.agents/ export-ignore
.pre-commit-config.yaml export-ignore
.lychee.toml export-ignore
.lycheecache export-ignore
.markdownlint.json export-ignore
.typos.toml export-ignore
.zizmor.yml export-ignore
.apache-magpie.session-state.json export-ignore
58 changes: 58 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*

- [Changelog](#changelog)
- [0.1.0](#010)
- [Framework](#framework)
- [Skill families](#skill-families)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->

# Changelog

All notable changes to Apache Magpie are recorded here. This project
adheres to [Semantic Versioning](https://semver.org/).

## 0.1.0

First Apache Magpie release. Apache Magpie is a reusable, governance-
agnostic framework of agentic skills for maintaining open-source
projects — usable by ASF and non-ASF projects alike.

This initial release establishes the framework and its skill families:

### Framework

- Snapshot-based **adoption mechanism** (`magpie-setup`) so a project
can adopt, upgrade, verify, and unadopt the framework from a pinned
snapshot, with per-adopter and per-user configuration layers.
- **Agentic mode taxonomy** (Triage, Mentoring, Drafting, Pairing) and
the state-change-boundary discipline every skill is held to
(human-in-the-loop on every state change; the agent drafts, the human
acts).
- **Trusted skill sources** — fetch, pin, and symlink skills from
external trust-listed sources.

### Skill families

- **Security** — the security-issue lifecycle from intake through
triage, CVE allocation, fix, and disclosure.
- **Release management** — the release lifecycle: planning, RC cut,
verification, vote, promote, announce, archive, and audit, with both
the `svnpubsub` and **Apache Trusted Releases (ATR)** distribution
backends documented.
- **PR management** — triage, code review, quick-merge, and stats for a
maintainer's pull-request queue.
- **Issue management** — triage, deduplication, reproduction, staleness
sweeps, and backlog statistics.
- **Contributor & committer** — nomination briefs, activity sweeps,
readiness tracking, and post-vote onboarding.
- **Audit** — CI-runner, dependency, license-compliance, and
flaky-test audits.

See [`README.md`](README.md) and [`MISSION.md`](MISSION.md) for the
full scope, and [`docs/`](docs/) for the per-family documentation.
8 changes: 4 additions & 4 deletions MISSION.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@
## Mission

Apache Magpie is responsible for the creation and maintenance of software
related to creation and maintenance of software related to agent-assisted
repository maintainership and development, including issue and pull-request
triage, contributor mentoring, agent-drafted remediation, developer-side
development-cycle skills, and narrowly-scoped fix-and-merge automation
related to agent-assisted repository maintainership and development,
including issue and pull-request triage, contributor mentoring,
agent-drafted remediation, developer-side development-cycle skills, and
narrowly-scoped fix-and-merge automation

## Abstract

Expand Down
96 changes: 96 additions & 0 deletions projects/magpie/pmc-roster.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*

- [Apache Magpie: PMC roster](#apache-magpie-pmc-roster)
- [Roster](#roster)
- [Resolution](#resolution)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->

# Apache Magpie: PMC roster

The PMC roster `release-vote-tally` reads to classify each `[VOTE]`
reply as binding (PMC member) or non-binding (committer / community).
Template: [`projects/_template/pmc-roster.md`](../_template/pmc-roster.md).

Authoritative source is the project's official committee roster
(`https://whimsy.apache.org/roster/committee/magpie`). This file
mirrors it so the tally skill can resolve a `From:` address without
hitting LDAP every run. Keep it in sync; membership changes land in
Whimsy first. The roster below reflects the founding PMC recorded in
[`MISSION.md`](../../MISSION.md).

## Roster

| Apache ID | Name | Primary email | Binding since |
|---|---|---|---|
| `potiuk` | Jarek Potiuk (Chair) | `potiuk@apache.org` | `[resolution]` |
| `pkarwasz` | Piotr Karwasz | `pkarwasz@apache.org` | `[resolution]` |
| `eladkal` | Elad Kalif | `eladkal@apache.org` | `[resolution]` |
| `zeroshade` | Matthew Topol | `zeroshade@apache.org` | `[resolution]` |
| `gopidesu` | Pavan Kumar Gopidesu | `gopidesu@apache.org` | `[resolution]` |
| `amoghdesai` | Amogh Desai | `amoghdesai@apache.org` | `[resolution]` |
| `akm` | Andrew Musselman | `akm@apache.org` | `[resolution]` |
| `jmclean` | Justin Mclean | `jmclean@apache.org` | `[resolution]` |
| `jbonofre` | Jean-Baptiste Onofré | `jbonofre@apache.org` | `[resolution]` |
| `paulk` | Paul King | `paulk@apache.org` | `[resolution]` |
| `rusackas` | Evan Rusackas | `rusackas@apache.org` | `[resolution]` |
| `russellspitzer` | Russell Spitzer | `russellspitzer@apache.org` | `[resolution]` |
| `iemejia` | Ismael Mejia | `iemejia@apache.org` | `[resolution]` |
| `tison` | Zili Chen (tison) | `tison@apache.org` | `[resolution]` |
| `jamesfredley` | James Fredley | `jamesfredley@apache.org` | `[resolution]` |
| `kirs` | Calvin Kirs | `kirs@apache.org` | `[resolution]` |
| `rbowen` | Rich Bowen | `rbowen@apache.org` | `[resolution]` |
| `mdrob` | Mike Drob | `mdrob@apache.org` | `[resolution]` |
| `clr` | Craig L Russell | `clr@apache.org` | `[resolution]` |
| `csutherl` | Coty Sutherland | `csutherl@apache.org` | `[resolution]` |
| `remm` | Rémy Maucherat | `remm@apache.org` | `[resolution]` |
| `rzo1` | Richard Zowalla | `rzo1@apache.org` | `[resolution]` |

**A `+1` from a PMC member is binding; from anyone not on this roster,
non-binding.**

A `[VOTE]` reply counts as binding when:

1. The `From:` address matches a row's `Primary email` exactly, **or**
2. The `From:` address contains `@apache.org` and the local part
matches a row's `Apache ID` exactly.

Rule (2) is the fallback because PMC members occasionally vote from
`<id>@apache.org` rather than the `Primary email` recorded here.

> [!IMPORTANT]
> `Primary email` is set to each member's `@apache.org` address, so
> rules (1) and (2) both resolve an `@apache.org` vote. **A member who
> intends to vote from a personal Gmail or corporate address MUST have
> that address added to their `Primary email` here before the 0.1.0
> `[VOTE]`** — otherwise neither rule matches and their `+1` tallies
> non-binding. `Binding since` is `[resolution]` for the founding
> roster; replace with the establishment-resolution date once
> confirmed (informational only; not used for resolution).

## Resolution

`release-vote-tally`'s resolution algorithm:

1. Normalise the `From:` header to `local@domain` form.
2. Try exact match against `Primary email` (case-insensitive).
3. If `domain == apache.org`, try the local part against the
`Apache ID` column.
4. If neither hits, the vote is classified non-binding, flagged
`BINDING-CANDIDATE-UNRESOLVED`, and surfaced for RM review; the
skill refuses to count it until the RM updates this roster or
confirms the vote is non-binding.

The roster is the source of truth for the tally skill. The skill never
infers binding status from message content (a sign-off that says "PMC
member" does not promote a non-roster voter to binding).

> [!NOTE]
> Reconcile against the Whimsy roster before relying on this for a
> binding tally. Membership changes (additions, emeritus) land in
> Whimsy first.
66 changes: 66 additions & 0 deletions projects/magpie/release-build.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*

- [Apache Magpie: release build configuration](#apache-magpie-release-build-configuration)
- [Build invocation](#build-invocation)
- [Expected artefact list](#expected-artefact-list)
- [Digest set](#digest-set)
- [Binary-exclude list](#binary-exclude-list)

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->

# Apache Magpie: release build configuration

Build invocation, expected artefact set, and digest selection the
`release-rc-cut` and `release-verify-rc` skills read for a Magpie
release. Template: [`projects/_template/release-build.md`](../_template/release-build.md).

Magpie is a source-first project (skills, docs, and Python tooling).
**The source package is the release** per
[release-policy § what is a release](https://www.apache.org/legal/release-policy.html#release-definition).
Magpie ships **no convenience binaries** — the signed source artefact is
the only release artefact.

## Build invocation

The canonical source artefact is a deterministic `git archive` of the
tagged tree — no VCS metadata, no build output:

```bash
# From the release tag <version>-rcN:
git archive --format=zip \
--prefix="apache-magpie-<version>/" \
-o "apache-magpie-<version>-source.zip" \
"<version>-rcN"
```

Files that must not ship in the source release (CI config, editor
metadata) are marked `export-ignore` in the root
[`.gitattributes`](../../.gitattributes), so `git archive` drops them.
[Apache RAT](https://creadur.apache.org/rat/) (run by
`release-verify-rc`) is the authoritative check on artefact contents;
extend the `export-ignore` set if RAT flags anything on the first RC.

## Expected artefact list

- `apache-magpie-<version>-source.zip` — canonical source artefact
(**required**, signed, checksummed). This is what the `[VOTE]` votes
on, and the only artefact Magpie ships. No convenience binaries.

## Digest set

- `sha512` — **required** (ASF baseline).

`md5` and `sha1` are prohibited for new ASF releases per
[release-distribution § sigs-and-sums](https://infra.apache.org/release-distribution.html#sigs-and-sums)
and are never emitted.

## Binary-exclude list

The source artefact must contain no compiled or opaque binary content.
Conservative default denylist for `release-verify-rc`:
`.class`, `.jar`, `.so`, `.dylib`, `.dll`, `.exe`, `.pyc`.
Loading