blob: 6b3192228ff8cec27be0c3095d19779f68a18bb4 [file]
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Root pyproject.toml — frames the framework root as a uv-managed
# project so the `[tool.uv] exclude-newer` cooldown below actually
# applies to the root-level tooling (currently just `prek`, declared
# under `[dependency-groups] dev`). `uv tool install` ignores
# pyproject.toml settings, so prek is installed into a uv-managed
# environment via `uv sync --group dev` instead.
#
# Not a Python package — `[tool.uv] package = false` below tells uv
# not to try to build a wheel from the framework root. The actual
# Python projects live under
# `tools/{vulnogram/generate-cve-json,gmail/oauth-draft}/` with their
# own pyproject.toml + uv.lock.
[project]
# Forward-looking name: the framework lives at `apache/airflow-steward`
# today (legacy from when it was Airflow's private security tracker)
# and is renaming to `apache/steward`. The package name here matches
# the future canonical name; no PyPI publication, so the name divergence
# from the GitHub slug is harmless.
name = "apache-steward"
version = "0.0.0"
description = "Reusable framework for handling security vulnerabilities in Apache projects."
requires-python = ">=3.11"
[dependency-groups]
# Dev tooling installed at the framework root. Currently just
# `prek` (the static-check / pre-commit runner). CI installs this
# group via `uv sync --group dev` and invokes `uv run prek …`.
# The lower bound mirrors `minimum_prek_version` in
# `.pre-commit-config.yaml`; the upper bound is enforced implicitly
# by the 7-day `[tool.uv] exclude-newer` cooldown below, so the
# resolved version is "the most recent prek that is at least 7 days
# old".
dev = [
"prek>=0.3.5",
]
[tool.uv]
# Pin the minimum uv version. Latest at the time of writing — bump
# manually when adopting features from newer uv releases.
required-version = ">=0.11.8"
# 7-day cooldown on dependency-resolution snapshots: a just-released
# package version has had a week to settle (retags, withdrawals,
# upstream incident reports) before uv will pick it up here. Same
# rationale as the 7-day cooldown on the Dependabot updates in
# `.github/dependabot.yml`.
exclude-newer = "7 days"
# Per-package override: `uv` itself is exempt from the 7-day cooldown
# above because the latest uv (which `required-version` pins to
# `>=0.11.8`) was released within the last 7 days, and the global
# cooldown would otherwise filter it out.
#
# TODO(remove on 2026-05-05): once 6 days have passed, uv 0.11.8
# (released 2026-04-27) will be older than the 7-day window and the
# global `exclude-newer` will cover it on its own — drop this
# override to keep the config minimal.
exclude-newer-package = { uv = "1 day" }
# This pyproject.toml is purely a settings file; do not build or
# install it as a package.
package = false