This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch replace-octopin-with-dependabot in repository https://gitbox.apache.org/repos/asf/airflow-site.git
commit b897cb3dcdf818c76b7eb35f835d1e259d2cf684 Author: Jarek Potiuk <[email protected]> AuthorDate: Tue Mar 17 01:39:46 2026 +0100 Replace octopin with dependabot and fix zizmor issues - Remove octopin pre-commit hook (dependabot github-actions ecosystem now handles action version pinning) - Remove upgrade.yml workflow (replaced by dependabot) - Add dependabot pre-commit ecosystem for hook updates (weekly, grouped) - Add cooldown (4 days) to github-actions dependabot ecosystem - Fix zizmor secrets-outside-env finding in build.yml Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- .github/dependabot.yml | 10 +++++ .github/workflows/build.yml | 2 +- .github/workflows/upgrade.yml | 86 ------------------------------------------- .pre-commit-config.yaml | 9 ----- 4 files changed, 11 insertions(+), 96 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 610da42134..40616e4708 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -31,6 +31,8 @@ updates: patterns: - "*" - package-ecosystem: github-actions + cooldown: + default-days: 4 directory: / schedule: interval: daily @@ -38,3 +40,11 @@ updates: github-actions: patterns: - "*" + - package-ecosystem: pre-commit + directory: / + schedule: + interval: weekly + groups: + pre-commit-hooks: + patterns: + - "*" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3ab74962ff..dc027058b9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,7 +28,7 @@ concurrency: group: build-${{ github.ref }} cancel-in-progress: true jobs: - build: + build: # zizmor: ignore[secrets-outside-env] runs-on: ["ubuntu-22.04"] env: PROD_PUBLISH_REQUIRED: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' || 'false' }} diff --git a/.github/workflows/upgrade.yml b/.github/workflows/upgrade.yml deleted file mode 100644 index 21e74f2149..0000000000 --- a/.github/workflows/upgrade.yml +++ /dev/null @@ -1,86 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -name: Upgrade CI dependencies - -on: - push: - branches: ['main', 'staging'] - workflow_dispatch: -permissions: - contents: write - pull-requests: write -concurrency: - group: upgrade-${{ github.ref }} - cancel-in-progress: true -jobs: - upgrade: - runs-on: ["ubuntu-22.04"] - steps: - - name: 🗂 Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - submodules: recursive - lfs: true - fetch-depth: 1 - persist-credentials: false - - name: 🐍 Install uv - run: | - curl -LsSf https://astral.sh/uv/install.sh | sh - - name: 📦 Install prek - run: | - uv tool install prek - - name: 🔄 Upgrade prek hooks - id: upgrade-prek - continue-on-error: true - run: | - echo "Upgrading prek hooks..." - prek autoupdate --color=always --freeze - if git diff --quiet; then - echo "prek_changed=false" >> $GITHUB_OUTPUT - echo "No changes from prek upgrade" - else - echo "prek_changed=true" >> $GITHUB_OUTPUT - echo "Changes detected from prek upgrade" - fi - - name: 🔄 Upgrade octopin versions - id: upgrade-octopin - continue-on-error: true - run: | - echo "Upgrading octopin versions..." - # Run octopin as a pre-commit hook - prek run pin-versions --hook-stage manual --color=always --show-diff-on-failure --all-files - if git diff --quiet; then - echo "octopin_changed=false" >> $GITHUB_OUTPUT - echo "No changes from octopin upgrade" - else - echo "octopin_changed=true" >> $GITHUB_OUTPUT - echo "Changes detected from octopin upgrade" - fi - - name: ✅ No changes needed - if: > - steps.upgrade-octopin.outputs.octopin_changed == 'false' && - steps.upgrade-prek.outputs.prek_changed == 'false' - run: | - echo "✅ All dependencies are up to date!" - - name: ❌ Error - Changes detected - if: > - steps.upgrade-octopin.outputs.octopin_changed == 'true' || - steps.upgrade-prek.outputs.prek_changed == 'true' - run: | - echo "❌ ERROR: Changes detected from upgrade process!" - exit 1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0e35322fee..84313d2dc4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -27,15 +27,6 @@ repos: hooks: - id: check-hooks-apply - id: check-useless-excludes - - repo: https://github.com/eclipse-csi/octopin - # We need this commit because if supports two spaces before comments (yamllint compatibility) - rev: 67eac129b3e1d8ddb47e657bb2fda28c33d948ca # frozen: v0.1.4 - hooks: - - id: pin-versions - name: Pin versions of dependencies in CI workflows (manual) - stages: ['manual'] - language: python - language_version: python311 - repo: https://github.com/woodruffw/zizmor-pre-commit rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f # frozen: v1.22.0 hooks:
