justinmclean opened a new issue, #192:
URL: https://github.com/apache/airflow-steward/issues/192
## Summary
The `pr-management-code-review` skill has no guidance for two categories of
file that carry IP or release-policy risk but cannot be checked mechanically
the way source files can:
1. **Binary images** — may be third-party brand assets or stock illustrations
with copyright restrictions; cannot carry SPDX headers.
2. **Compiled artifacts** — must not appear in an ASF source release; their
presence in the repo risks them being inadvertently packaged.
Both belong in the "Quality signals to check" category as framework-level
defaults that fire regardless of what the adopter's source files say.
## Issue 1 — Binary images (IP concern)
Images added to a PR have no machine-readable licence metadata. Most are
legitimate (contributor-created screenshots, diagrams), but logos, brand
assets, or polished illustrations may carry copyright restrictions that
require a `LICENSE` entry or cannot be included at all.
An automatic `blocking` or `major` finding on every image would generate
too much noise. The right behaviour is judgment-based: flag only when the
asset looks professionally produced, and ask the contributor to confirm
source and licence rather than blocking outright.
## Issue 2 — Compiled artifacts (release policy)
ASF releases must be source-only
(`https://www.apache.org/legal/release-policy.html`).
Compiled or binary build artifacts committed to the repository risk ending up
in a release archive. There is no legitimate reason to commit the following
to a source tree:
- JVM: `.class`, `.jar`, `.war`, `.ear`
- Python: `.pyc`, `.pyo`, `.pyd`
- Native: `.so`, `.dll`, `.dylib`, `.exe`, `.o`, `.a`
- Packages: `.whl`, `.egg`
These should raise a `major` finding. If the file would be included in a
release archive, the reviewer should escalate to `blocking`.
## Expected behaviour
Both checks are added to `criteria.md` as framework-level defaults under
"Quality signals to check":
- **Image IP**: judgment-based note — no automatic finding; prompt reviewer
to ask the contributor when the asset looks professionally produced.
- **Compiled artifacts**: `major` finding for any of the listed extensions,
with standard text directing the contributor to remove the file and
generate it at build time instead.
## Affected files
- `.claude/skills/pr-management-code-review/criteria.md` — two new
framework-level default subsections under "Quality signals to check".
## Out of scope
- Dependency licence checks for packages listed in `requirements.txt` or
`pyproject.toml` — handled by CI tooling, not per-PR review.
- Full-tree audits for pre-existing compiled artifacts.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
