Skip to content

Commit ff0347f

Browse files
author
Natanel Rudyuklakir
committed
Merge branch 'main' of https://github.com/apache/airflow into feature/remove-large-in-clause-in-assets
2 parents aeb97b7 + 7205e26 commit ff0347f

File tree

178 files changed

+3291
-2157
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

178 files changed

+3291
-2157
lines changed

.github/CODEOWNERS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,3 +149,6 @@ Dockerfile.ci @potiuk @ashb @gopidesupavan @amoghrajesh @jscheffl @bugraoz93 @ka
149149

150150
# Shared Libraries
151151
/shared/ @ashb @amoghrajesh @potiuk
152+
153+
# RMs on release documents
154+
/dev/README_RELEASE_*.md @potiuk @jscheffl @vincbeck @shahar1 @jedcunningham @bugraoz93

.github/SECURITY.md

Lines changed: 17 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -4,16 +4,19 @@
44
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
55
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
66

7-
- [What should be and should NOT be reported ?](#what-should-be-and-should-not-be-reported-)
8-
- [How to report the issue ?](#how-to-report-the-issue-)
9-
- [Is this really a security vulnerability ?](#is-this-really-a-security-vulnerability-)
10-
- [How do we assess severity of the issue ?](#how-do-we-assess-severity-of-the-issue-)
11-
- [What happens after you report the issue ?](#what-happens-after-you-report-the-issue-)
12-
- [Does CVE in Airflow Providers impact Airflow core package ?](#does-cve-in-airflow-providers-impact-airflow-core-package-)
13-
- [Where do I find more information about Airflow Security ?](#where-do-i-find-more-information-about-airflow-security-)
7+
- [Apache Airflow Security](#apache-airflow-security)
8+
- [What should be and should NOT be reported ?](#what-should-be-and-should-not-be-reported-)
9+
- [How to report the issue ?](#how-to-report-the-issue-)
10+
- [Is this really a security vulnerability ?](#is-this-really-a-security-vulnerability-)
11+
- [How do we assess severity of the issue ?](#how-do-we-assess-severity-of-the-issue-)
12+
- [What happens after you report the issue ?](#what-happens-after-you-report-the-issue-)
13+
- [Does CVE in Airflow Providers impact Airflow core package ?](#does-cve-in-airflow-providers-impact-airflow-core-package-)
14+
- [Where do I find more information about Airflow Security ?](#where-do-i-find-more-information-about-airflow-security-)
1415

1516
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
1617

18+
# Apache Airflow Security
19+
1720
This document contains information on how to report security vulnerabilities in Apache Airflow and
1821
how security issues reported to the Apache Airflow security team are handled. If you would like
1922
to learn more, head to the
@@ -30,7 +33,7 @@ e-mail address [security@airflow.apache.org](mailto:security@airflow.apache.org)
3033
Before sending the report, however, please read the following guidelines first. The guidelines should
3134
answer the most common questions you might have about reporting vulnerabilities.
3235

33-
### What should be and should NOT be reported ?
36+
## What should be and should NOT be reported ?
3437

3538
**Only** use the security e-mail address to report undisclosed security vulnerabilities in Apache
3639
Airflow and to manage the process of fixing such vulnerabilities. We do not accept regular
@@ -45,13 +48,13 @@ with dependencies in Airflow Docker reference image - there is a page that descr
4548
[Airflow reference Image is fixed at release time](https://airflow.apache.org/docs/docker-stack/index.html#fixing-images-at-release-time) and providing helpful instructions explaining
4649
how you can build your own image and manage dependencies of Airflow in your own image.
4750

48-
### How to report the issue ?
51+
## How to report the issue ?
4952

5053
Please send one plain-text email for each vulnerability you are reporting including an explanation
5154
of how it affects Airflow security. We may ask that you resubmit your report if you send it as an image,
5255
movie, HTML, or PDF attachment when you could as easily describe it with plain text.
5356

54-
### Is this really a security vulnerability ?
57+
## Is this really a security vulnerability ?
5558

5659
Before reporting vulnerabilities, please make sure to read and understand the [security model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html)
5760
of Airflow, because some of the potential security vulnerabilities that are valid for projects that are
@@ -69,7 +72,7 @@ a lot of time on preparing the issue report to follow the guidelines above and w
6972
save time for yourself and for the Airflow Security team by reading and understanding the security model
7073
before reporting the issue.
7174

72-
### How do we assess severity of the issue ?
75+
## How do we assess severity of the issue ?
7376

7477
Severity of the issue is determined based on the criteria described in
7578
the [Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software Foundation Security team.
@@ -79,7 +82,7 @@ do not apply to Airflow, or have a different severity than some generic scoring
7982
(for example `CVSS`) calculation suggests. So we are not using any generic scoring system.
8083

8184

82-
### What happens after you report the issue ?
85+
## What happens after you report the issue ?
8386

8487
The Airflow Security Team will get back to you after assessing the report. You will usually get
8588
confirmation that the issue is being worked (or that we quickly assessed it as invalid) within several
@@ -100,7 +103,7 @@ Security issues in Airflow are handled by the Airflow Security Team. Details abo
100103
Team and how members of it are chosen can be found in the
101104
[Contributing documentation](https://github.com/apache/airflow/blob/main/contributing-docs/01_roles_in_airflow_project.rst#security-team).
102105

103-
### Does CVE in Airflow Providers impact Airflow core package ?
106+
## Does CVE in Airflow Providers impact Airflow core package ?
104107

105108
Airflow core package is released separately from provider distributions. While Airflow comes with ``constraints``
106109
which describe which version of providers have been tested when the version of Airflow was released, the
@@ -110,7 +113,7 @@ not apply to the Airflow core package. There are also Airflow providers released
110113
Airflow community is not responsible for releasing and announcing security vulnerabilities in them, this
111114
is handled entirely by the 3rd-parties that release their own providers.
112115

113-
### Where do I find more information about Airflow Security ?
116+
## Where do I find more information about Airflow Security ?
114117

115118
If you wish to know more about the ASF security process,
116119
the [ASF Security team's page](https://www.apache.org/security/) describes
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
---
2+
applyTo: "**"
3+
excludeAgent: "coding-agent"
4+
---
5+
6+
# Airflow Code Review Instructions
7+
8+
Use these rules when reviewing pull requests to the Apache Airflow repository.
9+
10+
## Architecture Boundaries
11+
12+
- **Scheduler must never run user code.** It only processes serialized Dags. Flag any scheduler-path code that deserializes or executes Dag/task code.
13+
- **Workers must not access the metadata DB directly.** Task execution communicates with the API server through the Execution API (`/execution` endpoints) only.
14+
- **Dag Processor and Triggerer run user code in isolated processes.** Code in these components should maintain that isolation.
15+
- **Providers must not import core internals** like `SUPERVISOR_COMMS` or task-runner plumbing. Providers interact through the public SDK and execution API only.
16+
17+
## Database and Query Correctness
18+
19+
- **N+1 queries**: Flag SQLAlchemy queries that access relationships inside loops without `joinedload()` or `selectinload()`.
20+
- **`run_id` is only unique per Dag.** Queries that group, partition, or join on `run_id` alone (without `dag_id`) will collide across Dags. Always require `(dag_id, run_id)` together.
21+
- **Cross-database compatibility**: SQL changes must work on PostgreSQL, MySQL, and SQLite. Flag database-specific features (lateral joins, window functions) without cross-DB handling.
22+
- **Session discipline**: In `airflow-core`, functions receiving a `session` parameter must not call `session.commit()`. Use keyword-only `session` parameters.
23+
24+
## Code Quality Rules
25+
26+
- No `assert` in production code (stripped in optimized Python).
27+
- `time.monotonic()` for durations, not `time.time()`.
28+
- Imports at top of file. Valid exceptions: circular imports, lazy loading for worker isolation, `TYPE_CHECKING` blocks.
29+
- Guard heavy type-only imports (e.g., `kubernetes.client`) with `TYPE_CHECKING` in multi-process code paths.
30+
- Unbounded caches are bugs: all `@lru_cache` must have `maxsize`.
31+
- Resources (files, connections, sessions) must use context managers or `try/finally`.
32+
33+
## Testing Requirements
34+
35+
- New behavior requires tests covering success, failure, and edge cases.
36+
- Use pytest patterns, not `unittest.TestCase`.
37+
- Use `spec`/`autospec` when mocking.
38+
- Use `time_machine` for time-dependent tests.
39+
- Imports belong at the top of test files, not inside test functions.
40+
- Issue numbers do not belong in test docstrings.
41+
42+
## API Correctness
43+
44+
- `map_index` must be handled correctly for mapped tasks. Queries without `map_index` filtering may return arbitrary task instances.
45+
- Execution API changes must follow Cadwyn versioning (CalVer format).
46+
47+
## UI Code (React/TypeScript)
48+
49+
- Avoid `useState + useEffect` to sync derived state. Use nullish coalescing or nullable override patterns instead.
50+
- Extract shared logic into custom hooks rather than copy-pasting across components.
51+
52+
## AI-Generated Code Signals
53+
54+
Flag these patterns that indicate low-quality AI-generated contributions:
55+
56+
- **Fabricated diffs**: Changes to files or code paths that don't exist in the repository.
57+
- **Unrelated files included**: Changes to files that have nothing to do with the stated purpose of the PR.
58+
- **Description doesn't match code**: PR description describes something different from what the code actually does.
59+
- **No evidence of testing**: Claims of fixes without test evidence, or author admitting they cannot run the test suite.
60+
- **Over-engineered solutions**: Adding caching layers, complex locking, or benchmark scripts for problems that don't exist or are misunderstood.
61+
- **Narrating comments**: Comments that restate what the next line does (e.g., `# Add the item to the list` before `list.append(item)`).
62+
- **Empty PR descriptions**: PRs with just the template filled in and no actual description of the changes.
63+
64+
## Quality Signals to Check
65+
66+
The absence of these signals in a "fix" or "optimization" PR is itself a red flag:
67+
68+
- **Bug fixes need regression tests**: A test that fails without the fix and passes with it.
69+
- **Existing tests must still pass without modification**: If existing tests need changes to pass, the PR may introduce a behavioral regression.
Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
<!-- SPDX-License-Identifier: Apache-2.0
2+
https://www.apache.org/licenses/LICENSE-2.0 -->
3+
4+
# Korean (ko)
5+
6+
This document provides locale-specific instructions for translating English Airflow UI strings into Korean. It inherits all global rules from the parent [SKILL.md](../SKILL.md).
7+
8+
## Translation Style
9+
10+
Use wording already established in existing `ko` locale files first. If a term has no established translation yet, prefer natural Korean UI phrasing over literal transliteration.
11+
12+
**English source:**
13+
14+
```json
15+
"lastDagRun_one": "Last Dag Run",
16+
"deleteConnection_other": "Delete {{count}} connections"
17+
```
18+
19+
**Correct** — natural Korean UI wording:
20+
21+
```json
22+
"lastDagRun_one": "마지막 Dag 실행",
23+
"deleteConnection_other": "커넥션 {{count}}개 삭제"
24+
```
25+
26+
**Incorrect** — overly literal or awkward:
27+
28+
```json
29+
"lastDagRun_one": "마지막 Dag 런",
30+
"deleteConnection_other": "{{count}} 연결들을 삭제"
31+
```
32+
33+
## Plural Forms
34+
35+
Korean often uses the same wording for singular and plural. Follow established usage in existing `ko` locale files first. If an existing key pair already distinguishes `_one` and `_other`, keep that distinction. If no established wording exists, use the same translation for both.
36+
37+
**English source:**
38+
39+
```json
40+
"taskCount_one": "{{count}} Task",
41+
"taskCount_other": "{{count}} Tasks"
42+
```
43+
44+
**Correct** — identical for both when no established distinction exists:
45+
46+
```json
47+
"taskCount_one": "{{count}}개 작업",
48+
"taskCount_other": "{{count}}개 작업"
49+
```
50+
51+
## Counters and Spacing
52+
53+
Use counters consistent with existing `ko` locale usage and keep spacing readable:
54+
55+
- Insert a single space between Korean and adjacent English technical terms where needed (`Dag 실행`, `커넥션 ID`).
56+
- Do not insert a space between numbers/placeholders and counters such as `` (for example, `{{count}}개`).
57+
58+
```json
59+
"deleteConnection_other": "커넥션 {{count}}개 삭제",
60+
"taskCount_one": "{{count}}개 작업",
61+
"taskCount_other": "{{count}}개 작업",
62+
"lastDagRun_one": "마지막 Dag 실행",
63+
"connectionId": "커넥션 ID"
64+
```
65+
66+
## Particles and Placeholders
67+
68+
Preserve all `{{variable}}` placeholders exactly. Attach Korean particles outside placeholders and reorder phrases only when needed for natural Korean word order.
69+
70+
**English source:**
71+
72+
```json
73+
"confirmation": "Are you sure you want to delete {{resourceName}}? This action cannot be undone.",
74+
"description": "{{count}} {{resourceName}} have been successfully deleted. Keys: {{keys}}"
75+
```
76+
77+
**Correct** — placeholders preserved and particles outside:
78+
79+
```json
80+
"confirmation": "{{resourceName}}을(를) 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.",
81+
"description": "{{count}}개 {{resourceName}}이(가) 성공적으로 삭제되었습니다. 키: {{keys}}"
82+
```
83+
84+
**Incorrect** — variable names translated:
85+
86+
```json
87+
"confirmation": "{{리소스이름}}을(를) 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.",
88+
"description": "{{개수}}개 {{리소스이름}}이(가) 성공적으로 삭제되었습니다. 키: {{키들}}"
89+
```
90+
91+
## Tone and UI Voice
92+
93+
- Use neutral, slightly formal tone.
94+
- Keep labels and messages concise for UI.
95+
- Use polite confirmations in destructive actions:
96+
`"{{resourceName}}을(를) 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다."`
97+
- Avoid colloquial phrasing.
98+
99+
## Terminology and Casing
100+
101+
- Keep `Dag` casing exactly as `Dag` (never `DAG`).
102+
- Reuse established Korean role terms from existing `ko` locale files (for example, `스케줄러`, `오퍼레이터`).
103+
- Prefer established `ko` glossary by key context (for example, `Dag 실행`, `커넥션`, `변수`), and keep stable technical tokens in English: `XCom`, `REST API`, `JSON`, `URL`, `ID`, `UTC`.
104+
105+
## Terminology Reference
106+
107+
The established Korean translations are defined in existing locale files. Before translating, **read the existing ko JSON files** to learn the established terminology:
108+
109+
```
110+
airflow-core/src/airflow/ui/public/i18n/locales/ko/
111+
```
112+
113+
Use the translations found in these files as the authoritative glossary. When translating a term, check how it has been translated elsewhere in the locale to maintain consistency. If a term has not been translated yet, refer to the English source in `en/` and apply the rules in this document.

.github/workflows/airflow-distributions-tests.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -112,9 +112,10 @@ jobs:
112112
env:
113113
DISTRIBUTION_TYPE: "${{ inputs.distribution-cmd-format }}"
114114
USE_LOCAL_HATCH: "${{ inputs.use-local-venv }}"
115+
# Pin on virtualenv is temporary for pypa/hatch#2193
115116
run: |
116117
uv tool uninstall hatch || true
117-
uv tool install hatch==1.16.4
118+
uv tool install hatch==1.16.4 --with 'virtualenv<21'
118119
breeze release-management "${DISTRIBUTION_TYPE}" --distribution-format wheel
119120
if: ${{ matrix.python-version == inputs.default-python-version }}
120121
- name: "Verify wheel packages with twine"

.pre-commit-config.yaml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ repos:
3939
language: python
4040
language_version: python311
4141
- repo: https://github.com/thlorenz/doctoc.git
42-
rev: 68f070c98b9a053eabfa7f8899d1f42b9919f98c # frozen: v2.2.0
42+
rev: d7815f1f950f8d5ec933fa4f70208bf316bb13f8 # frozen: v2.3.0
4343
hooks:
4444
- id: doctoc
4545
name: Add TOC for Markdown and RST files
@@ -56,6 +56,7 @@ repos:
5656
exclude:
5757
(?x)
5858
.github/PULL_REQUEST_TEMPLATE\.md$|
59+
.github/instructions/|
5960
.github/skills/
6061
args:
6162
- "--maxlevel"
@@ -194,6 +195,7 @@ repos:
194195
exclude:
195196
(?x)
196197
^scripts/ci/license-templates/|
198+
^\.github/instructions/|
197199
^\.github/skills/airflow-translations/SKILL\.md$
198200
- id: insert-license
199201
name: Add license for all other files
@@ -625,6 +627,7 @@ repos:
625627
^providers/apache/hive/src/airflow/providers/apache/hive/transfers/vertica_to_hive\.py$|
626628
^providers/apache/kafka/docs/connections/kafka\.rst$|
627629
^providers/apache/spark/docs/decorators/pyspark\.rst$|
630+
^providers/apache/spark/docs/connections/spark-submit.rst$|
628631
^providers/apache/spark/src/airflow/providers/apache/spark/decorators/|
629632
^providers/apache/spark/src/airflow/providers/apache/spark/hooks/|
630633
^providers/apache/spark/src/airflow/providers/apache/spark/operators/|

0 commit comments

Comments
 (0)