This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-site.git
The following commit(s) were added to refs/heads/main by this push:
new 9596bba74c Replace octopin with dependabot and fix zizmor issues
(#1467)
9596bba74c is described below
commit 9596bba74cdcc8b1f0fbfacb0b23f04318333d45
Author: Jarek Potiuk <[email protected]>
AuthorDate: Tue Mar 17 01:54:31 2026 +0100
Replace octopin with dependabot and fix zizmor issues (#1467)
* Replace octopin with dependabot and fix zizmor issues
- Remove octopin pre-commit hook (dependabot github-actions ecosystem
now handles action version pinning)
- Remove upgrade.yml workflow (replaced by dependabot)
- Add dependabot pre-commit ecosystem for hook updates (weekly, grouped)
- Add cooldown (4 days) to github-actions dependabot ecosystem
- Fix zizmor secrets-outside-env finding in build.yml
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
* Fix typos in build.yml step names
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
---
.github/dependabot.yml | 10 +++++
.github/workflows/build.yml | 6 +--
.github/workflows/upgrade.yml | 86 -------------------------------------------
.pre-commit-config.yaml | 9 -----
4 files changed, 13 insertions(+), 98 deletions(-)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 610da42134..40616e4708 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -31,6 +31,8 @@ updates:
patterns:
- "*"
- package-ecosystem: github-actions
+ cooldown:
+ default-days: 4
directory: /
schedule:
interval: daily
@@ -38,3 +40,11 @@ updates:
github-actions:
patterns:
- "*"
+ - package-ecosystem: pre-commit
+ directory: /
+ schedule:
+ interval: weekly
+ groups:
+ pre-commit-hooks:
+ patterns:
+ - "*"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3ab74962ff..ae8844acc9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -28,7 +28,7 @@ concurrency:
group: build-${{ github.ref }}
cancel-in-progress: true
jobs:
- build:
+ build: # zizmor: ignore[secrets-outside-env]
runs-on: ["ubuntu-22.04"]
env:
PROD_PUBLISH_REQUIRED: ${{ (github.event_name == 'push' ||
github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' ||
'false' }}
@@ -131,7 +131,7 @@ jobs:
echo "Restored previous theme packages:"
ls -la dist/sphinx-airflow-theme/
fi
- - name: β nstall AWS CLI v2
+ - name: β Install AWS CLI v2
if: env.PROD_PUBLISH_REQUIRED != 'false' ||
env.STAGING_PUBLISH_REQUIRED != 'false'
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; -o
/tmp/awscliv2.zip
@@ -205,7 +205,7 @@ jobs:
cp sphinx_airflow_theme/LATEST_VERSION.txt dist/sphinx-airflow-theme/
echo "All theme packages (including previous versions):"
ls -la dist/sphinx-airflow-theme/
- - name: πRefresh PMC/COMMITTERS profiles
+ - name: π Refresh PMC/COMMITTERS profiles
env:
PMC_COMMITTERS_FILES:
landing-pages/site/data/committers.json,landing-pages/site/data/pmc.json
run: |
diff --git a/.github/workflows/upgrade.yml b/.github/workflows/upgrade.yml
deleted file mode 100644
index 21e74f2149..0000000000
--- a/.github/workflows/upgrade.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-name: Upgrade CI dependencies
-
-on:
- push:
- branches: ['main', 'staging']
- workflow_dispatch:
-permissions:
- contents: write
- pull-requests: write
-concurrency:
- group: upgrade-${{ github.ref }}
- cancel-in-progress: true
-jobs:
- upgrade:
- runs-on: ["ubuntu-22.04"]
- steps:
- - name: π Checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
- with:
- submodules: recursive
- lfs: true
- fetch-depth: 1
- persist-credentials: false
- - name: π Install uv
- run: |
- curl -LsSf https://astral.sh/uv/install.sh | sh
- - name: π¦ Install prek
- run: |
- uv tool install prek
- - name: π Upgrade prek hooks
- id: upgrade-prek
- continue-on-error: true
- run: |
- echo "Upgrading prek hooks..."
- prek autoupdate --color=always --freeze
- if git diff --quiet; then
- echo "prek_changed=false" >> $GITHUB_OUTPUT
- echo "No changes from prek upgrade"
- else
- echo "prek_changed=true" >> $GITHUB_OUTPUT
- echo "Changes detected from prek upgrade"
- fi
- - name: π Upgrade octopin versions
- id: upgrade-octopin
- continue-on-error: true
- run: |
- echo "Upgrading octopin versions..."
- # Run octopin as a pre-commit hook
- prek run pin-versions --hook-stage manual --color=always
--show-diff-on-failure --all-files
- if git diff --quiet; then
- echo "octopin_changed=false" >> $GITHUB_OUTPUT
- echo "No changes from octopin upgrade"
- else
- echo "octopin_changed=true" >> $GITHUB_OUTPUT
- echo "Changes detected from octopin upgrade"
- fi
- - name: β
No changes needed
- if: >
- steps.upgrade-octopin.outputs.octopin_changed == 'false' &&
- steps.upgrade-prek.outputs.prek_changed == 'false'
- run: |
- echo "β
All dependencies are up to date!"
- - name: β Error - Changes detected
- if: >
- steps.upgrade-octopin.outputs.octopin_changed == 'true' ||
- steps.upgrade-prek.outputs.prek_changed == 'true'
- run: |
- echo "β ERROR: Changes detected from upgrade process!"
- exit 1
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0e35322fee..84313d2dc4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -27,15 +27,6 @@ repos:
hooks:
- id: check-hooks-apply
- id: check-useless-excludes
- - repo: https://github.com/eclipse-csi/octopin
- # We need this commit because if supports two spaces before comments
(yamllint compatibility)
- rev: 67eac129b3e1d8ddb47e657bb2fda28c33d948ca # frozen: v0.1.4
- hooks:
- - id: pin-versions
- name: Pin versions of dependencies in CI workflows (manual)
- stages: ['manual']
- language: python
- language_version: python311
- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: b546b77c44c466a54a42af5499dcc0dcc1a3193f # frozen: v1.22.0
hooks:
