This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 3acbb53 chore(asf.yaml): remove CodeQL from required checks; add
lychee (#284)
3acbb53 is described below
commit 3acbb5398ce8d425a4516249194d43a86321c0a8
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon May 25 19:18:58 2026 +0200
chore(asf.yaml): remove CodeQL from required checks; add lychee (#284)
Two `required_status_checks` changes to `protected_branches.main`:
1. **CodeQL un-gated.** `Analyze (python)` and `Analyze (actions)`
are no longer required to merge. The `codeql.yml` workflow still
runs on every PR and surfaces findings in the Security tab -- a
finding just stops blocking merge. The framework repo is docs-
and skills-heavy with no published runtime artefacts, so the
per-PR incremental value of CodeQL gating is low relative to the
noise it produces on changes that do not touch real attack
surface. Re-introduce as a required gate if/when the project
starts publishing runtime artefacts that warrant per-PR static
analysis.
2. **Lychee now required.** The link-checker (`lychee`) was
previously excluded with a "link rot is a daily-schedule
maintenance concern" rationale. It runs on every PR (no path
filter), so requiring it gates merge on link rot introduced in
the PR itself. The daily schedule run still catches drift on
files the PR did not touch -- the daily run is now the *second*
line of defence rather than the only one.
Not changed:
- The two path-filtered exclusions stay: `asf-allowlist-check`
(`.github/**`) and `lint .claude/settings.json against baseline`
(sandbox-lint, `.claude/settings.json` + `tools/sandbox-lint/**`).
Classic branch-protection has no "require only if run" semantics,
so a path-filtered job that does not post a status on every PR
blocks merge. Requiring those needs the workflows to emit a
no-op success status when skipped -- separate work.
- `strict: false`, `required_linear_history: true`,
`required_conversation_resolution: true`,
`required_signatures: false`, and the absence of
`required_pull_request_reviews:` (per the TEMPORARY POSTURE
block) all carry over unchanged.
Final required-contexts list (10):
zizmor, prek, lychee, and the seven `pytest (<project>)` matrix
legs (oauth-draft, generate-cve-json, skill-validator,
privacy-llm-checker, privacy-llm-redactor, vulnogram-oauth-api,
sandbox-lint).
Generated-by: Claude Code (Opus 4.7)
---
.asf.yaml | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/.asf.yaml b/.asf.yaml
index a6bb856..66d317f 100644
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -132,10 +132,18 @@ github:
# `asf-allowlist-check` (paths: `.github/**`) and
# `lint .claude/settings.json against baseline` from
# sandbox-lint (paths: `.claude/settings.json` +
- # `tools/sandbox-lint/**`). Also excluded: `lychee` (the
- # link-check runs on every PR, but external link rot is a
- # maintenance concern handled by the daily schedule — it is
- # not a merge-blocker).
+ # `tools/sandbox-lint/**`).
+ #
+ # CodeQL (`Analyze (python)`, `Analyze (actions)`) is NOT
+ # required. The framework repo is docs- and skills-heavy with
+ # no published runtime artefacts — the per-PR incremental
+ # value of CodeQL gating is low relative to the noise it
+ # produces on changes that do not touch real attack surface.
+ # The `codeql.yml` workflow still runs on every PR for
+ # visibility (findings surface in the Security tab), but a
+ # finding does not block merge. Re-introduce as a required
+ # gate if/when the project starts publishing runtime
+ # artefacts that warrant per-PR static analysis.
required_status_checks:
# `strict: false` — don't require the PR branch to be up
# to date with `main` before merging. With `strict: true`,
@@ -144,13 +152,15 @@ github:
# for multi-contributor repos.
strict: false
contexts:
- # CodeQL — two matrix legs (Python + GitHub Actions YAML).
- - "Analyze (python)"
- - "Analyze (actions)"
- # zizmor (GitHub Actions security lint; complements CodeQL).
+ # zizmor — GitHub Actions security lint.
- "zizmor"
# Pre-commit (prek) — static checks across the repo.
- "prek"
+ # Lychee — link checker. Runs on every PR (no path
+ # filter), so it gates merge on link rot introduced in
+ # the PR. The daily schedule run still catches drift on
+ # files the PR did not touch.
+ - "lychee"
# Per-project pytest matrix from tests.yml. Mirrors the
# `matrix.project[].name` list there; keep these two
# lists in sync when projects are added or renamed.
