This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 54a2ce4 chore(asf): enable required-status-checks protection on main
(#204)
54a2ce4 is described below
commit 54a2ce4aba911bf69bb10a67a94ab5421be42303
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon May 18 02:29:04 2026 +0200
chore(asf): enable required-status-checks protection on main (#204)
ASF Infra was previously not configuring any branch protection on
`main` for this repo — verified via the GitHub protection API
(`branches/main/protection` → 404, `branches/main.protected` →
false) and confirmed by the prior `.asf.yaml` comment ("No
`protected_branches:` block by design"). The comment also said
"configured directly in GitHub for now", but inspection shows no
direct-on-GitHub rule was ever created. This change moves
branch-protection ownership into `.asf.yaml` where it sits next to
the rest of the repo config.
What landed in `.asf.yaml`:
- New `protected_branches: main:` block.
- `required_status_checks` lists the eleven contexts that run on
every PR against `main` (so they always post a status — a
prerequisite for classic branch-protection's
required-checks model, which lacks "require only if run"
semantics):
* Analyze (python)
* Analyze (actions)
* zizmor
* prek
* pytest (oauth-draft)
* pytest (generate-cve-json)
* pytest (skill-validator)
* pytest (privacy-llm-checker)
* pytest (privacy-llm-redactor)
* pytest (vulnogram-oauth-api)
* pytest (sandbox-lint)
Path-filtered workflows (`asf-allowlist-check`, sandbox-lint's
`lint .claude/settings.json against baseline`) are deliberately
excluded — making them required would block any PR that didn't
touch the filtered paths. `lychee` (link-check) is also
excluded; external link rot is a maintenance concern handled
by the daily scheduled run, not a merge-blocker.
`strict: false` so a merge to `main` does not invalidate every
other open PR — standard ASF multi-contributor practice.
- `required_linear_history: true` matches the existing
`enabled_merge_buttons.squash: true` setting — squash is the
only enabled merge mode.
- `required_conversation_resolution: true` blocks merge while
any review thread is unresolved. Bites independently of the
approval requirement.
- `required_signatures: false` — external contributors without
configured GPG/SSH signing would otherwise be blocked from
contributing.
- `required_pull_request_reviews:` deliberately OMITTED for now,
with a prominent TEMPORARY POSTURE block in the .asf.yaml
comments calling out that approvals MUST be re-enabled when the
project establishes its own PMC. The framework is in bootstrap
under the Airflow PMC umbrella with a small committer set
(MISSION.md); requiring approvals at this stage would block
routine maintainer self-merges. Status checks alone gate
merges in the interim.
ASF Infra reconciles `.asf.yaml` within a few minutes of merge.
The very next PR against `main` will block on all eleven status
checks — including a maintainer's own PRs — but no approval is
required for self-merge during this temporary posture.
Generated-by: Claude Code (Opus 4.7)
---
.asf.yaml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 73 insertions(+), 3 deletions(-)
diff --git a/.asf.yaml b/.asf.yaml
index 4e72a8c..f470a4c 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -100,9 +100,79 @@ github:
# asfyaml / PyGithub interaction is fixed upstream and a release
# workflow exists that needs the environment.
- # No `protected_branches:` block by design — branch protections are
- # configured directly in GitHub for now. Add here when the project's
- # release / branching policy stabilises.
+ # Branch protection on `main`. ASF Infra reconciles this within a
+ # few minutes of merge to main (asfyaml feature
+ # `protected_branches`). Earlier note about "configured directly in
+ # GitHub" was superseded by inspection — no direct-on-GitHub rule
+ # ever existed, so the protection now lives here next to the rest
+ # of the repo config.
+ #
+ # TEMPORARY POSTURE — REVISIT AT PMC FORMATION
+ # --------------------------------------------
+ # Pull-request approvals are intentionally NOT required while the
+ # framework is in its bootstrap phase under the Airflow PMC
+ # umbrella with a small set of committers (see MISSION.md). Once
+ # the project establishes its own PMC, this block MUST be
+ # revisited: add a `required_pull_request_reviews:` section with
+ # `required_approving_review_count: 1` (or higher) and
+ # `dismiss_stale_reviews` / `require_code_owner_reviews` tuned to
+ # the new committer / CODEOWNERS shape. Until then, status checks
+ # alone gate merges — a maintainer can self-merge after CI green.
+ protected_branches:
+ main:
+ # Required status checks. Listed contexts MUST run on every PR
+ # against `main` — path-filtered workflows are excluded
+ # (classic branch-protection has no "require only if run"
+ # semantics, so a path-filtered job that doesn't post a status
+ # would block the PR). Excluded for that reason:
+ # `asf-allowlist-check` (paths: `.github/**`) and
+ # `lint .claude/settings.json against baseline` from
+ # sandbox-lint (paths: `.claude/settings.json` +
+ # `tools/sandbox-lint/**`). Also excluded: `lychee` (the
+ # link-check runs on every PR, but external link rot is a
+ # maintenance concern handled by the daily schedule — it is
+ # not a merge-blocker).
+ required_status_checks:
+ # `strict: false` — don't require the PR branch to be up
+ # to date with `main` before merging. With `strict: true`,
+ # every merge to `main` invalidates every other open PR and
+ # forces a rebase loop. False matches typical ASF practice
+ # for multi-contributor repos.
+ strict: false
+ contexts:
+ # CodeQL — two matrix legs (Python + GitHub Actions YAML).
+ - "Analyze (python)"
+ - "Analyze (actions)"
+ # zizmor (GitHub Actions security lint; complements CodeQL).
+ - "zizmor"
+ # Pre-commit (prek) — static checks across the repo.
+ - "prek"
+ # Per-project pytest matrix from tests.yml. Mirrors the
+ # `matrix.project[].name` list there; keep these two
+ # lists in sync when projects are added or renamed.
+ - "pytest (oauth-draft)"
+ - "pytest (generate-cve-json)"
+ - "pytest (skill-validator)"
+ - "pytest (privacy-llm-checker)"
+ - "pytest (privacy-llm-redactor)"
+ - "pytest (vulnogram-oauth-api)"
+ - "pytest (sandbox-lint)"
+ # `required_pull_request_reviews:` deliberately omitted — see
+ # the TEMPORARY POSTURE note above. Re-add at PMC formation.
+ #
+ # Linear history matches `enabled_merge_buttons.squash: true`
+ # above — squash is the only enabled merge mode, so every
+ # merge results in a single commit on top of main.
+ required_linear_history: true
+ # Block merge while review threads remain unresolved. This
+ # bites even without an approval requirement: any reviewer
+ # who opens a thread blocks merge until it is resolved.
+ required_conversation_resolution: true
+ # Do NOT require signed commits. External contributors
+ # without configured GPG/SSH signing would be unable to
+ # contribute. Re-enable if/when the project adopts a
+ # committer-only signing policy.
+ required_signatures: false
notifications:
# The framework is hosted under the Airflow PMC umbrella for now;
