potiuk opened a new pull request, #203: URL: https://github.com/apache/airflow-steward/pull/203
## Summary Three CI-surface housekeeping changes that share a single theme — close the gaps in the supply-chain pipeline (more ecosystems tracked, more workflow YAML scanned, current deps re-locked through the 7-day cooldown window). ### 1. Dependabot — full uv-ecosystem coverage Previously only `github-actions`, `pre-commit`, and **two of the eight** uv-managed projects had Dependabot coverage; the remaining six (root + 5 tools) were drifting silently. The config now tracks every uv project under the repo, each with the same 7-day cooldown applied across all four semver buckets (default / major / minor / patch) the existing entries already use: | New entry | Notes | | --- | --- | | `/` (root) | Currently just `prek` as a dev dep, but the pyproject is uv-managed | | `/tools/skill-validator` | Hatch + dev tooling | | `/tools/skill-evals` | Seeded `uv.lock` so Dependabot's `uv` ecosystem can resolve it — previously had pyproject only | | `/tools/sandbox-lint` | | | `/tools/vulnogram/oauth-api` | | | `/tools/privacy-llm/redactor` | | | `/tools/privacy-llm/checker` | | Added a header comment explaining the cooldown rationale and its alignment with `[tool.uv] exclude-newer = "7 days"` in the root `pyproject.toml` and the `exclude-newer-span = "P7D"` baked into every tool's `uv.lock`. ### 2. CodeQL — Actions analyzer alongside Python `codeql.yml` previously scanned only `python`. The CodeQL `actions` language analyses workflow YAML for taint flows (untrusted PR titles / fork inputs reaching privileged sinks) — a deeper read than the lint-style ruleset `zizmor.yml` already runs. The job now uses a `language: [python, actions]` matrix; zizmor stays untouched, the two are complementary. > ⚠️ **Branch protection on `main`**: the job is no longer named `Analyze Python`. Required-status-check rules referencing the old name will need updating to `Analyze (python)` / `Analyze (actions)`, or migrated to reference the workflow instead. ### 3. Dependency refresh — everything re-locked through the 7-day window Ran `uv lock --upgrade` across the root + all 7 uv tool projects, plus `prek autoupdate` on `.pre-commit-config.yaml`. Every version below has been GA for at least a week (the lockfiles and the root pyproject both enforce that window): - **Root**: `prek` 0.3.10 → 0.3.13 - **All tool projects**: `mypy` 1.20.2 → 2.0.0 (major; dev-only), `librt` 0.9.0 → 0.11.0, new transitive `ast-serialize` 0.3.0 - **generate-cve-json + privacy-llm + sandbox-lint + skill-validator + vulnogram-oauth-api**: `packaging` 26.1 → 26.2, `pathspec` 1.0.4 → 1.1.1, `ruff` 0.15.11 → 0.15.12 - **gmail/oauth-draft** (only project with non-trivial runtime deps): `certifi` 2026.2.25 → 2026.4.22, `cryptography` 46.0.7 → 48.0.0 (major; runtime — token signing only, no user-supplied crypto inputs), `google-auth` 2.49.2 → 2.52.0, `google-auth-oauthlib` 1.3.1 → 1.4.0, `idna` 3.12 → 3.14, `urllib3` 2.6.3 → 2.7.0 - **pre-commit hooks**: `doctoc` v2.2.0 → v2.4.1, `pre-commit-hooks` v4.5.0 → v6.0.0 (major; CI-side static-check infra), `typos` v1.45.2 → v1.46.2 No GitHub Actions refs were bumped here — Dependabot's `github-actions` ecosystem will handle those on its next sweep. ## Test plan - [ ] Dependabot Insights page for the repo lists all 11 ecosystem entries (1× github-actions, 1× pre-commit, 9× uv). - [ ] On next `Dependabot — Refresh` run, the new uv entries each resolve cleanly (no `resolution failed`). - [ ] CodeQL workflow on this PR shows two parallel jobs `Analyze (python)` and `Analyze (actions)`, both completing successfully and uploading distinct SARIF categories. - [ ] `zizmor.yml` still runs and reports clean (no new findings introduced by the workflow matrix change). - [ ] `prek run --all-files` passes locally on the updated hook revs (note: the `doctoc` hook's `npm install` can fail on a stale `~/.npm` cache — unrelated to this PR). - [ ] After merge, update the branch protection on `main` to reference `Analyze (python)` / `Analyze (actions)` instead of `Analyze Python` (or switch to workflow-based required checks). Generated-by: Claude Code (Opus 4.7) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
