apache
diff --git a/‎.gitattributes‎
Lines changed: 6 additions & 2 deletions b/‎.gitattributes‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 3 additions & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/4-airflow_helmchart_bug_report.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/ISSUE_TEMPLATE/4-airflow_helmchart_bug_report.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 3 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/SECURITY.md‎
Lines changed: 19 additions & 32 deletions b/‎.github/SECURITY.md‎
Lines changed: 19 additions & 32 deletions
diff --git a/‎.github/actions/breeze/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/breeze/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/actions/install-prek/action.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/actions/install-prek/action.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/instructions/code-review.instructions.md‎
Lines changed: 69 additions & 0 deletions b/‎.github/instructions/code-review.instructions.md‎
Lines changed: 69 additions & 0 deletions
@@ -12,10 +12,14 @@ manifests export-ignore
 newsfragments export-ignore
 scripts export-ignore
 
-Dockerfile.ci export-ignore
+.github export-ignore
+
 CONTRIBUTING.rst export-ignore
 ISSUE_TRIAGE_PROCESS.rst export-ignore
-.github/PULL_REQUEST_TEMPLATE.md export-ignore
+
+AGENTS.md export-ignore
+SKILLS.md export-ignore
+CLAUDE.md export-ignore
 
 .asf.yaml export-ignore
 .bash_completion export-ignore
 
@@ -149,3 +149,6 @@ Dockerfile.ci @potiuk @ashb @gopidesupavan @amoghrajesh @jscheffl @bugraoz93 @ka
 
 # Shared Libraries
 /shared/ @ashb @amoghrajesh @potiuk
+
+# RMs on release documents
+/dev/README_RELEASE_*.md @potiuk @jscheffl @vincbeck @shahar1 @jedcunningham @bugraoz93
@@ -37,7 +37,8 @@ body:
         What Apache Airflow Helm Chart version are you using?
       multiple: false
       options:
-        - "1.18.0 (latest released)"
+        - "1.19.0 (latest released)"
+        - "1.18.0"
         - "1.17.0"
         - "1.16.0"
         - "1.15.0"
 
@@ -1,3 +1,6 @@
+ <!-- SPDX-License-Identifier: Apache-2.0
+      https://www.apache.org/licenses/LICENSE-2.0 -->
+
 <!--
 Thank you for contributing!
 
 
@@ -1,35 +1,22 @@
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements.  See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership.  The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License.  You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied.  See the License for the
- specific language governing permissions and limitations
- under the License.
--->
+ <!-- SPDX-License-Identifier: Apache-2.0
+      https://www.apache.org/licenses/LICENSE-2.0 -->
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
-- [What should be and should NOT be reported ?](#what-should-be-and-should-not-be-reported-)
-- [How to report the issue ?](#how-to-report-the-issue-)
-- [Is this really a security vulnerability ?](#is-this-really-a-security-vulnerability-)
-- [How do we assess severity of the issue ?](#how-do-we-assess-severity-of-the-issue-)
-- [What happens after you report the issue ?](#what-happens-after-you-report-the-issue-)
-- [Does CVE in Airflow Providers impact Airflow core package ?](#does-cve-in-airflow-providers-impact-airflow-core-package-)
-- [Where do I find more information about Airflow Security ?](#where-do-i-find-more-information-about-airflow-security-)
+- [Apache Airflow Security](#apache-airflow-security)
+  - [What should be and should NOT be reported ?](#what-should-be-and-should-not-be-reported-)
+  - [How to report the issue ?](#how-to-report-the-issue-)
+  - [Is this really a security vulnerability ?](#is-this-really-a-security-vulnerability-)
+  - [How do we assess severity of the issue ?](#how-do-we-assess-severity-of-the-issue-)
+  - [What happens after you report the issue ?](#what-happens-after-you-report-the-issue-)
+  - [Does CVE in Airflow Providers impact Airflow core package ?](#does-cve-in-airflow-providers-impact-airflow-core-package-)
+  - [Where do I find more information about Airflow Security ?](#where-do-i-find-more-information-about-airflow-security-)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+# Apache Airflow Security
+
 This document contains information on how to report security vulnerabilities in Apache Airflow and
 how security issues reported to the Apache Airflow security team are handled. If you would like
 to learn more, head to the
@@ -46,7 +33,7 @@ e-mail address [security@airflow.apache.org](mailto:security@airflow.apache.org)
 Before sending the report, however, please read the following guidelines first. The guidelines should
 answer the most common questions you might have about reporting vulnerabilities.
 
-### What should be and should NOT be reported ?
+## What should be and should NOT be reported ?
 
 **Only** use the security e-mail address to report undisclosed security vulnerabilities in Apache
 Airflow and to manage the process of fixing such vulnerabilities. We do not accept regular
@@ -61,13 +48,13 @@ with dependencies in Airflow Docker reference image - there is a page that descr
 [Airflow reference Image is fixed at release time](https://airflow.apache.org/docs/docker-stack/index.html#fixing-images-at-release-time) and providing helpful instructions explaining
 how you can build your own image and manage dependencies of Airflow in your own image.
 
-### How to report the issue ?
+## How to report the issue ?
 
 Please send one plain-text email for each vulnerability you are reporting including an explanation
 of how it affects Airflow security. We may ask that you resubmit your report if you send it as an image,
 movie, HTML, or PDF attachment when you could as easily describe it with plain text.
 
-### Is this really a security vulnerability ?
+## Is this really a security vulnerability ?
 
 Before reporting vulnerabilities, please make sure to read and understand the [security model](https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html)
 of Airflow, because some of the potential security vulnerabilities that are valid for projects that are
@@ -85,7 +72,7 @@ a lot of time on preparing the issue report to follow the guidelines above and w
 save time for yourself and for the Airflow Security team by reading and understanding the security model
 before reporting the issue.
 
-### How do we assess severity of the issue ?
+## How do we assess severity of the issue ?
 
 Severity of the issue is determined based on the criteria described in
 the [Severity Rating blog post](https://security.apache.org/blog/severityrating/) by the Apache Software Foundation Security team.
@@ -95,7 +82,7 @@ do not apply to Airflow, or have a different severity than some generic scoring
 (for example `CVSS`) calculation suggests. So we are not using any generic scoring system.
 
 
-### What happens after you report the issue ?
+## What happens after you report the issue ?
 
 The Airflow Security Team will get back to you after assessing the report. You will usually get
 confirmation that the issue is being worked (or that we quickly assessed it as invalid) within several
@@ -116,7 +103,7 @@ Security issues in Airflow are handled by the Airflow Security Team. Details abo
 Team and how members of it are chosen can be found in the
 [Contributing documentation](https://github.com/apache/airflow/blob/main/contributing-docs/01_roles_in_airflow_project.rst#security-team).
 
-### Does CVE in Airflow Providers impact Airflow core package ?
+## Does CVE in Airflow Providers impact Airflow core package ?
 
 Airflow core package is released separately from provider distributions. While Airflow comes with ``constraints``
 which describe which version of providers have been tested when the version of Airflow was released, the
@@ -126,7 +113,7 @@ not apply to the Airflow core package. There are also Airflow providers released
 Airflow community is not responsible for releasing and announcing security vulnerabilities in them, this
 is handled entirely by the 3rd-parties that release their own providers.
 
-### Where do I find more information about Airflow Security ?
+## Where do I find more information about Airflow Security ?
 
 If you wish to know more about the ASF security process,
 the [ASF Security team's page](https://www.apache.org/security/) describes
 
@@ -24,7 +24,7 @@ inputs:
     default: "3.10"
   uv-version:
     description: 'uv version to use'
-    default: "0.10.2"  # Keep this comment to allow automatic replacement of uv version
+    default: "0.10.6"  # Keep this comment to allow automatic replacement of uv version
 outputs:
   host-python-version:
     description: Python version used in host
 
@@ -24,10 +24,10 @@ inputs:
     default: "3.10"
   uv-version:
     description: 'uv version to use'
-    default: "0.10.2"  # Keep this comment to allow automatic replacement of uv version
+    default: "0.10.6"  # Keep this comment to allow automatic replacement of uv version
   prek-version:
     description: 'prek version to use'
-    default: "0.3.2"  # Keep this comment to allow automatic replacement of prek version
+    default: "0.3.3"  # Keep this comment to allow automatic replacement of prek version
   save-cache:
     description: "Whether to save prek cache"
     required: true
 
@@ -0,0 +1,69 @@
+---
+applyTo: "**"
+excludeAgent: "coding-agent"
+---
+
+# Airflow Code Review Instructions
+
+Use these rules when reviewing pull requests to the Apache Airflow repository.
+
+## Architecture Boundaries
+
+- **Scheduler must never run user code.** It only processes serialized Dags. Flag any scheduler-path code that deserializes or executes Dag/task code.
+- **Workers must not access the metadata DB directly.** Task execution communicates with the API server through the Execution API (`/execution` endpoints) only.
+- **Dag Processor and Triggerer run user code in isolated processes.** Code in these components should maintain that isolation.
+- **Providers must not import core internals** like `SUPERVISOR_COMMS` or task-runner plumbing. Providers interact through the public SDK and execution API only.
+
+## Database and Query Correctness
+
+- **N+1 queries**: Flag SQLAlchemy queries that access relationships inside loops without `joinedload()` or `selectinload()`.
+- **`run_id` is only unique per Dag.** Queries that group, partition, or join on `run_id` alone (without `dag_id`) will collide across Dags. Always require `(dag_id, run_id)` together.
+- **Cross-database compatibility**: SQL changes must work on PostgreSQL, MySQL, and SQLite. Flag database-specific features (lateral joins, window functions) without cross-DB handling.
+- **Session discipline**: In `airflow-core`, functions receiving a `session` parameter must not call `session.commit()`. Use keyword-only `session` parameters.
+
+## Code Quality Rules
+
+- No `assert` in production code (stripped in optimized Python).
+- `time.monotonic()` for durations, not `time.time()`.
+- Imports at top of file. Valid exceptions: circular imports, lazy loading for worker isolation, `TYPE_CHECKING` blocks.
+- Guard heavy type-only imports (e.g., `kubernetes.client`) with `TYPE_CHECKING` in multi-process code paths.
+- Unbounded caches are bugs: all `@lru_cache` must have `maxsize`.
+- Resources (files, connections, sessions) must use context managers or `try/finally`.
+
+## Testing Requirements
+
+- New behavior requires tests covering success, failure, and edge cases.
+- Use pytest patterns, not `unittest.TestCase`.
+- Use `spec`/`autospec` when mocking.
+- Use `time_machine` for time-dependent tests.
+- Imports belong at the top of test files, not inside test functions.
+- Issue numbers do not belong in test docstrings.
+
+## API Correctness
+
+- `map_index` must be handled correctly for mapped tasks. Queries without `map_index` filtering may return arbitrary task instances.
+- Execution API changes must follow Cadwyn versioning (CalVer format).
+
+## UI Code (React/TypeScript)
+
+- Avoid `useState + useEffect` to sync derived state. Use nullish coalescing or nullable override patterns instead.
+- Extract shared logic into custom hooks rather than copy-pasting across components.
+
+## AI-Generated Code Signals
+
+Flag these patterns that indicate low-quality AI-generated contributions:
+
+- **Fabricated diffs**: Changes to files or code paths that don't exist in the repository.
+- **Unrelated files included**: Changes to files that have nothing to do with the stated purpose of the PR.
+- **Description doesn't match code**: PR description describes something different from what the code actually does.
+- **No evidence of testing**: Claims of fixes without test evidence, or author admitting they cannot run the test suite.
+- **Over-engineered solutions**: Adding caching layers, complex locking, or benchmark scripts for problems that don't exist or are misunderstood.
+- **Narrating comments**: Comments that restate what the next line does (e.g., `# Add the item to the list` before `list.append(item)`).
+- **Empty PR descriptions**: PRs with just the template filled in and no actual description of the changes.
+
+## Quality Signals to Check
+
+The absence of these signals in a "fix" or "optimization" PR is itself a red flag:
+
+- **Bug fixes need regression tests**: A test that fails without the fix and passes with it.
+- **Existing tests must still pass without modification**: If existing tests need changes to pass, the PR may introduce a behavioral regression.