Skip to content

.asf.yaml: route all notification schemes (suppress dev@ default)#9

Merged
potiuk merged 1 commit into
mainfrom
asf-yaml-avoid-dev-list
Apr 29, 2026
Merged

.asf.yaml: route all notification schemes (suppress dev@ default)#9
potiuk merged 1 commit into
mainfrom
asf-yaml-avoid-dev-list

Conversation

@potiuk

@potiuk potiuk commented Apr 29, 2026

Copy link
Copy Markdown
Member

Summary

The repo was leaking four GitHub event streams to dev@airflow.apache.org because those schemes were unset in our notifications: block — and ASF Infra defaults any unset scheme to dev@<project>.apache.org.

Root cause

Per the ASF asf.yaml validator at apache/infrastructure-asfyaml, VALID_NOTIFICATION_SCHEMES includes eleven schemes for a public GitHub repo:

commits             issues                pullrequests
commits_by_path     issues_status         pullrequests_status
discussions         issues_comment        pullrequests_comment
jobs                jira_options          (+ bot-pattern variants)

Our previous config set five (commits, issues, pullrequests, jobs, discussions). The four GitHub-event streams issues_status, issues_comment, pullrequests_status, pullrequests_comment were unset, so every issue label change, every issue comment, every PR state change + CI status check failure, and every PR comment was being routed to dev@airflow.apache.org. pullrequests_status is by far the noisiest of these — it fires on every CI status-check failure across every PR.

(commits_by_path is an optional path-specific override and is intentionally left unset; jira_options is for Jira-integrated repos.)

For reference, apache/airflow itself has the same five-field shape and is presumably leaking the same four streams to dev@airflow.apache.org — that's a separate fix to propose there.

What this PR does

  • Adds explicit routes for the four leaking schemes — same target as the rest (commits@airflow.apache.org), the standard Airflow PMC bot-event mirror list.
  • Reformats the field list with column alignment so a missing scheme is visually obvious in future diffs.
  • Expands the comment to spell out the dev@ default behaviour, links the schema source, and notes the rationale for the commits@airflow.apache.org target.

Diff

.asf.yaml, +33 −5. Four new field lines + comment expansion. The five existing routes are unchanged.

Test plan

  • prek passes (no doctoc / EOF / line-ending changes).
  • ASF Infra's .asf.yaml processor is the verifier — it will either accept the new schemes (silently good) or reject the file with a validation error (visible in the gitbox notification email to private@airflow.apache.org).
  • After merge, watch dev@airflow.apache.org for an absence of apache-airflow-steward issue/PR notifications over the next ~week.

🤖 Generated with Claude Code

Without this change, ASF Infra was silently routing four GitHub
event streams to `dev@airflow.apache.org` because the schemes were
not explicitly populated in our `notifications:` block.

The ASF asf.yaml validator at
https://github.com/apache/infrastructure-asfyaml/blob/main/asfyaml/feature/notifications.py
defines `VALID_NOTIFICATION_SCHEMES` with eleven schemes that apply
to a public GitHub repo. Any unset scheme falls back to
`dev@<project>.apache.org`. We were setting only five
(`commits`, `issues`, `pullrequests`, `jobs`, `discussions`),
so the four "bot event" streams were leaking to dev@:

- `issues_status` — issue open/close/label-change events.
- `issues_comment` — comments on issues.
- `pullrequests_status` — PR state changes + CI status-check
  failures (the noisiest one).
- `pullrequests_comment` — comments on PRs.

(`commits_by_path` is an optional path-specific override, not a
default-target field, so it stays unset.)

This commit:

- Adds explicit routes for all four leaking schemes — same target
  as the rest (`commits@airflow.apache.org`), per the existing
  Airflow PMC umbrella.
- Reformats the field list with column alignment so the missing-
  scheme regression is hard to reintroduce silently.
- Expands the comment to spell out the dev@ default behaviour, the
  schema link, and the rationale for the `commits@airflow.apache.org`
  routing (it's the standard bot-event mirror list, public-by-
  design, already moderated for bot-only traffic).

No effect on the five schemes that were already routed correctly;
the change is purely additive.

Generated-by: Claude Code (Claude Opus 4.7)
@potiuk potiuk merged commit 2ee6068 into main Apr 29, 2026
5 checks passed
@potiuk potiuk deleted the asf-yaml-avoid-dev-list branch April 29, 2026 09:49
@andreahlert andreahlert added the mode:cross-cutting Spans multiple modes label May 7, 2026
andreahlert referenced this pull request in andreahlert/magpie May 15, 2026
- Replace SPDX with full ASF v2 license header (jbonofre)
- Clarify binding audience: contributors, committers, PMC, unmodified adopters (jbonofre)
- Extend #5 with deterministic-first execution to save tokens (potiuk)
- Extend #6 with explicit human sign-off for outbound human communication (RussellSpitzer)
- Rework #9 around capability floor instead of "same code on all backends", add justified-and-minimized clause, add end-to-end single-machine config requirement (RussellSpitzer)
- Standardize on US English (analyze, artifact, behavior, catalog, license, specialized)
potiuk referenced this pull request in andreahlert/magpie May 24, 2026
- Replace SPDX with full ASF v2 license header (jbonofre)
- Clarify binding audience: contributors, committers, PMC, unmodified adopters (jbonofre)
- Extend #5 with deterministic-first execution to save tokens (potiuk)
- Extend #6 with explicit human sign-off for outbound human communication (RussellSpitzer)
- Rework #9 around capability floor instead of "same code on all backends", add justified-and-minimized clause, add end-to-end single-machine config requirement (RussellSpitzer)
- Standardize on US English (analyze, artifact, behavior, catalog, license, specialized)
potiuk added a commit that referenced this pull request May 25, 2026
#273)

Generalise the leading bracketed-tag regex in the template (and the
matching example cascade in security-cve-allocate/SKILL.md) so it
catches any square- or round-bracketed leading tag whose body
contains the word "security" or "important", case-insensitive —
e.g. (Security Issue), [ Security Vulnerability ], [IMPORTANT],
(Important - please read), in addition to the existing four
[Security X] forms.

Add a new pattern #9 to strip trailing IDs from known external
bug-bounty / disclosure trackers — (ZDRES-NNN), [HUNTR-NNN],
(GHSL-YYYY-NNN) — in either bracket style. Extend the alternation
per project as new reporter brands surface (SNYK-, BDSA-, etc.).

Real motivating example: an airflow-s tracker whose subject was
"[ Security Report ] LDAP Filter Injection in FAB Auth Manager
_search_ldap reachable via /auth/token (ZDRES-223)" — the leading
prefix matched the old pattern but no pattern covered the trailing
(ZDRES-223). Verified the new cascade collapses this to "LDAP Filter
Injection in FAB Auth Manager _search_ldap reachable via /auth/token".

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
potiuk referenced this pull request in andreahlert/magpie May 27, 2026
- Replace SPDX with full ASF v2 license header (jbonofre)
- Clarify binding audience: contributors, committers, PMC, unmodified adopters (jbonofre)
- Extend #5 with deterministic-first execution to save tokens (potiuk)
- Extend #6 with explicit human sign-off for outbound human communication (RussellSpitzer)
- Rework #9 around capability floor instead of "same code on all backends", add justified-and-minimized clause, add end-to-end single-machine config requirement (RussellSpitzer)
- Standardize on US English (analyze, artifact, behavior, catalog, license, specialized)
potiuk pushed a commit that referenced this pull request Jun 2, 2026
* docs(principles): add operational principles document

PRINCIPLES.md restates RFC-AI-0004's six baseline principles in their
operational shape and adds the project-internal commitments the RFC
deliberately defers: eval as release blocker, contributor-sentiment
gating, no default telemetry, reproducibility from signed source,
maintainer education shipped with the platform.

19 ordered principles. Earlier outranks later when they collide.
Amendment process matches the release-vote process (>=3 binding +1,
no binding -1, 72h window, no lazy consensus).

Positioned as project-internal operating contract, not a competing RFC.

* docs(principles): address review feedback on PRINCIPLES.md

- Replace SPDX with full ASF v2 license header (jbonofre)
- Clarify binding audience: contributors, committers, PMC, unmodified adopters (jbonofre)
- Extend #5 with deterministic-first execution to save tokens (potiuk)
- Extend #6 with explicit human sign-off for outbound human communication (RussellSpitzer)
- Rework #9 around capability floor instead of "same code on all backends", add justified-and-minimized clause, add end-to-end single-machine config requirement (RussellSpitzer)
- Standardize on US English (analyze, artifact, behavior, catalog, license, specialized)

* docs(principles): disambiguate 'language-independent' as 'programming-language independent' (RussellSpitzer)

* docs(principles): qualify P6 merge rule as 'unilaterally' to resolve auto-merge tension (justinmclean)

* docs(principles): scope P3 'first-class' as adopter, clarify amendment proposal path (justinmclean)

* docs(principles): add PMC adjudication path for disputed committer blocks (justinmclean)

* docs(principles): scope P6 impersonation claim to messages read as maintainer-authored (justinmclean)

* docs(principles): replace dangling 'same family' clause with single-principle interpretation rule (justinmclean)

* docs(principles): add generated TOC

* docs(principles): align P14 with upstream Skills contract

A skill is always a directory with SKILL.md as entrypoint, even
for one-file workflows. SKILL.md stays under 500 lines; longer
reference material moves into sibling markdown linked one level
deep. Matches the runtime contract documented at
https://code.claude.com/docs/en/skills and
https://platform.claude.com/docs/en/agents-and-tools/agent-skills/best-practices,
and reflects how skills in this repo (contributor-nomination,
pr-management-code-review, pr-management-mentor) are already
authored.

* docs(principles): make P6 merge clause explicit on subject and close auto-merge gap (justinmclean)

* docs(principles): resolve disputed blocks via PMC consensus first, vote as last resort (justinmclean)

* docs(principles): soften P11 reproducibility requirement

Addresses review feedback that 'bytes are identical' is too strong
for a project-agnostic framework. Toolchains vary in their ability
to produce byte-identical output; some have known divergence sources
(timestamps, file ordering, path embedding).

P11 now requires byte-identical builds where achievable, and where
the toolchain makes that impractical, the release process must
document the divergence and provide an alternative local verification
mechanism. The 'no code without reviewed PR' guard stays absolute.

Refs: PR #147 review

* docs(principles): move ASF license header to top of file

The doctoc-generated TOC was placed above the Apache license header,
which breaks tooling that expects the license notice in the first
few lines of the file. Move the license block to line 1, followed
by the TOC.

Refs: PR #147 review

* docs(principles): align amendment process and blocking rules with ASF policy

Three fixes from PR #147 review by @justinmclean:

1. Amendment vote model: 'release vote' -> 'code-modification vote'
   The encoded rule (>=3 binding +1, any binding -1 vetoes) matches
   ASF consensus approval for code modifications, not majority
   approval for releases.

2. Veto-justification requirement: A binding -1 must now include a
   technical justification. Without one the veto is invalid and has
   no weight, matching ASF voting policy.

3. Generative tooling disclosure: P17 now requires a
   'Generated-by: <tool>' token in commit messages for AI-authored
   contributions, per ASF Generative Tooling Guidance.
potiuk pushed a commit to justinmclean/airflow-steward that referenced this pull request Jun 14, 2026
…on blocks

Adds validate_validation_paths() which extracts filesystem paths from
shell patterns in ## Validation code blocks (--project, --directory,
bash -n, shellcheck, test -f) and checks each exists under the repo
root. Shell variables ($) and placeholder tokens (<) are silently
skipped. Catches stale paths after renames before they accumulate.

Also fixes a stale path in mentoring-mode.md (Validation block
referenced .claude/skills/good-first-issue-author/SKILL.md; the
installed name is magpie-good-first-issue-author).

Generated-by: Claude (Opus 4.7)
potiuk pushed a commit that referenced this pull request Jun 14, 2026
…cks (#513)

Adds validate_validation_paths() which extracts filesystem paths from
shell patterns in ## Validation code blocks (--project, --directory,
bash -n, shellcheck, test -f) and checks each exists under the repo
root. Shell variables ($) and placeholder tokens (<) are silently
skipped. Catches stale paths after renames before they accumulate.

Also fixes a stale path in mentoring-mode.md (Validation block
referenced .claude/skills/good-first-issue-author/SKILL.md; the
installed name is magpie-good-first-issue-author).

Generated-by: Claude (Opus 4.7)
potiuk pushed a commit that referenced this pull request Jun 26, 2026
#560)

Add [dependency-groups] dev = [pytest, ruff] to
tools/spec-validator/pyproject.toml so that the standard
monorepo invocation
  uv run --project tools/spec-validator --group dev pytest tools/spec-validator/tests/
works from the repo root, matching the pattern established by
tools/skill-and-tool-validator (asf-coupling-lint) and documented in
the module docstring.

Also fix a copy-paste comment mislabelling check #9 (validation-path
existence as check #8 — SPDX header validation is check #8.

Generated-by: Claude (Opus 4.7)
EOF
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mode:cross-cutting Spans multiple modes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants