Merge branch 'main' into cast-entire-date32-array

Author: kumarUjjawal

.asf.yaml

@@ -58,6 +58,8 @@ github:
           - "Check Markdown Links"
           - "Validate required_status_checks in .asf.yaml"
           - "Spell Check with Typos"
+          - "Circular Dependency Check"
+          - "Detect Unused Dependencies"
     # needs to be updated as part of the release process
     # .asf.yaml doesn't support wildcard branch protection rules, only exact branch names
     # https://github.com/apache/infrastructure-asfyaml?tab=readme-ov-file#branch-protection

.github/workflows/audit.yml

@@ -45,7 +45,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - name: Install cargo-audit
-        uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486  # v2.75.18
+        uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a  # v2.75.23
         with:
           tool: cargo-audit
       - name: Run audit check

.github/workflows/breaking_changes_detector.yml

@@ -0,0 +1,142 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Detect semver-incompatible (breaking) API changes in crates modified by a PR.
+#
+# Only public workspace crates that have file changes are checked.
+# Internal crates (benchmarks, test-utils, sqllogictest, doc) are excluded.
+#
+# This workflow only runs cargo-semver-checks and uploads the result as an
+# artifact. The actual PR comment is posted by a companion workflow
+# (`breaking_changes_detector_comment.yml`) that picks up the artifact via
+# `workflow_run`.
+#
+# Why split it?
+#   "The GITHUB_TOKEN has read-only permissions in pull requests from forked
+#    repositories."
+#     https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
+# A read-only token cannot post comments, so on fork PRs the previous
+# single-workflow design failed with HTTP 403. We can't simply broaden the
+# trigger here either: cargo-semver-checks compiles PR code (build.rs, proc
+# macros), so granting this job a write token would expose it to any code
+# in the PR. And ASF infra policy independently forbids `pull_request_target`
+# for any workflow that exposes GITHUB_TOKEN
+# (https://infra.apache.org/github-actions-policy.html). The companion
+# `workflow_run` workflow runs in the base-repo context with write access
+# and never executes PR code.
+
+name: "Detect breaking changes"
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  check-semver:
+    name: Check semver
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      # For fork PRs, `origin` points to the fork, not the upstream repo.
+      # Explicitly fetch the base branch from the upstream repo so we have
+      # a valid baseline ref for both diff and semver-checks.
+      - name: Fetch base branch
+        env:
+          BASE_REF: ${{ github.base_ref }}
+          REPO: ${{ github.repository }}
+        run: git fetch "https://github.com/${REPO}.git" "${BASE_REF}:refs/remotes/origin/${BASE_REF}"
+
+      - name: Determine changed crates
+        id: changed_crates
+        env:
+          BASE_REF: ${{ github.base_ref }}
+        run: |
+          PACKAGES=$(ci/scripts/changed_crates.sh changed-crates "origin/${BASE_REF}")
+          echo "packages=$PACKAGES" >> "$GITHUB_OUTPUT"
+          echo "Changed crates: $PACKAGES"
+
+      # `datafusion-substrait` (and crates that depend on it via sqllogictest)
+      # have a build script that calls protoc, which is not preinstalled on
+      # ubuntu-latest runners.
+      - name: Install Protobuf Compiler
+        if: steps.changed_crates.outputs.packages != ''
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y protobuf-compiler
+
+      - name: Install cargo-semver-checks
+        if: steps.changed_crates.outputs.packages != ''
+        uses: taiki-e/install-action@94cb46f8d6e437890146ffbd78a778b78e623fb2  # v2.74.0
+        with:
+          tool: cargo-semver-checks
+
+      - name: Run cargo-semver-checks
+        id: check_semver
+        if: steps.changed_crates.outputs.packages != ''
+        env:
+          BASE_REF: ${{ github.base_ref }}
+          PACKAGES: ${{ steps.changed_crates.outputs.packages }}
+        run: |
+          set +e
+          # `tee` lets cargo's output stream live into the Actions log
+          # while we also keep a copy for the PR comment.
+          ci/scripts/changed_crates.sh semver-check "origin/${BASE_REF}" $PACKAGES \
+            2>&1 | tee /tmp/semver-output.txt
+          EXIT_CODE=${PIPESTATUS[0]}
+          # Pass the result through an output instead of failing the job:
+          # a detected breaking change should surface as a PR comment, not a
+          # red check, so PR authors aren't confused by an intentional break.
+          if [ "$EXIT_CODE" -eq 0 ]; then
+            echo "result=success" >> "$GITHUB_OUTPUT"
+          else
+            echo "result=failure" >> "$GITHUB_OUTPUT"
+          fi
+
+      # Stage the data the companion comment workflow needs into a single
+      # directory. We default the result to "success" so the comment
+      # workflow clears any stale comment when the check step is skipped
+      # (e.g. no published crates changed).
+      - name: Stage artifact for comment workflow
+        if: always()
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          CHECK_RESULT: ${{ steps.check_semver.outputs.result || 'success' }}
+        run: |
+          mkdir -p semver-artifact
+          echo "$PR_NUMBER" > semver-artifact/pr_number
+          echo "$CHECK_RESULT" > semver-artifact/result
+          if [ -f /tmp/semver-output.txt ]; then
+            sed 's/\x1b\[[0-9;]*m//g' /tmp/semver-output.txt > semver-artifact/logs
+          else
+            : > semver-artifact/logs
+          fi
+
+      - name: Upload artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          name: semver-check-result
+          path: semver-artifact/
+          retention-days: 1

.github/workflows/breaking_changes_detector_comment.yml

@@ -0,0 +1,132 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Companion to `breaking_changes_detector.yml`. Posts the sticky PR comment.
+#
+# Why this workflow exists:
+#   "The GITHUB_TOKEN has read-only permissions in pull requests from forked
+#    repositories."
+#     https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
+# That is why the upstream `pull_request` workflow cannot post the comment
+# itself when the PR comes from a fork.
+#
+# Why not `pull_request_target`? ASF infra policy forbids it:
+#   "You MUST NOT use `pull_request_target` as a trigger on ANY action that
+#    exports ANY confidential credentials or tokens such as GITHUB_TOKEN or
+#    NPM_TOKEN."
+#     https://infra.apache.org/github-actions-policy.html
+# `workflow_run` is the supported alternative: it runs in the base
+# repository's context regardless of where the upstream run was triggered
+# from, so the GITHUB_TOKEN here can be granted `pull-requests: write`. See:
+#   https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run
+#
+# Security note: this workflow MUST NOT check out or execute any code from
+# the PR. The artifact's contents originate from a workflow run that may
+# have compiled fork-controlled code, so PR_NUMBER and CHECK_RESULT are
+# validated against strict patterns before being passed to any action.
+
+name: "Detect breaking changes - Comment"
+
+on:
+  workflow_run:
+    workflows: ["Detect breaking changes"]
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+jobs:
+  comment-on-pr:
+    name: Comment on pull request
+    if: github.event.workflow_run.event == 'pull_request'
+    runs-on: ubuntu-latest
+    # Scoped to the minimum needed to upsert/delete the sticky comment.
+    permissions:
+      actions: read
+      pull-requests: write
+    steps:
+      - name: Download semver-check artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: semver-check-result
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+          path: ./semver-artifact
+
+      - name: Read and validate artifact
+        id: read
+        run: |
+          set -euo pipefail
+          # Validate every field: the artifact comes from a workflow run
+          # that compiled fork-controlled code, so its contents are untrusted.
+          PR_NUMBER=$(cat ./semver-artifact/pr_number)
+          if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
+            echo "Invalid PR number: $PR_NUMBER" >&2
+            exit 1
+          fi
+          CHECK_RESULT=$(cat ./semver-artifact/result)
+          if [[ "$CHECK_RESULT" != "success" && "$CHECK_RESULT" != "failure" ]]; then
+            echo "Invalid check result: $CHECK_RESULT" >&2
+            exit 1
+          fi
+          echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
+          echo "result=$CHECK_RESULT" >> "$GITHUB_OUTPUT"
+
+          # Multi-line output: random delimiter so a malicious log line can't
+          # close the heredoc and inject extra output keys. See:
+          #   https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
+          DELIM="EOF_$(openssl rand -hex 16)"
+          {
+            echo "logs<<${DELIM}"
+            cat ./semver-artifact/logs
+            echo "${DELIM}"
+          } >> "$GITHUB_OUTPUT"
+
+      # The marker `<!-- semver-check-comment -->` is what makes the comment
+      # "sticky": maintain-one-comment uses it to find and replace (or
+      # delete) the existing comment instead of stacking new ones.
+      - name: Upsert sticky comment
+        if: steps.read.outputs.result != 'success'
+        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a  # v3.3.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          number: ${{ steps.read.outputs.pr_number }}
+          body-include: '<!-- semver-check-comment -->'
+          body: |
+            <!-- semver-check-comment -->
+            Thank you for opening this pull request!
+
+            Reviewer note: [cargo-semver-checks](https://github.com/obi1kenobi/cargo-semver-checks) reported the current version number is not SemVer-compatible with the changes in this pull request (compared against the base branch).
+
+            <details>
+            <summary>Details</summary>
+
+            ```
+            ${{ steps.read.outputs.logs }}
+            ```
+
+            </details>
+
+      - name: Delete sticky comment
+        if: steps.read.outputs.result == 'success'
+        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a  # v3.3.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          number: ${{ steps.read.outputs.pr_number }}
+          body-include: '<!-- semver-check-comment -->'
+          delete: true

.github/workflows/dependencies.yml

@@ -25,13 +25,7 @@ on:
   push:
     branches-ignore:
       - 'gh-readonly-queue/**'
-    paths:
-      - "**/Cargo.toml"
-      - "**/Cargo.lock"
   pull_request:
-    paths:
-      - "**/Cargo.toml"
-      - "**/Cargo.lock"
   merge_group:
   # manual trigger
   # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
@@ -42,7 +36,7 @@ permissions:
 
 jobs:
   depcheck:
-    name: circular dependency check
+    name: Circular Dependency Check
     runs-on: ubuntu-latest
     container:
       image: amd64/rust
@@ -61,6 +55,7 @@ jobs:
           cargo run
 
   detect-unused-dependencies:
+    name: Detect Unused Dependencies
     runs-on: ubuntu-latest
     container:
       image: amd64/rust

.github/workflows/dev.yml

@@ -64,7 +64,7 @@ jobs:
           source ci/scripts/utils/tool_versions.sh
           echo "LYCHEE_VERSION=${LYCHEE_VERSION}" >> "$GITHUB_ENV"
       - name: Install lychee
-        uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486  # v2.75.18
+        uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a  # v2.75.23
         with:
           tool: lychee@${{ env.LYCHEE_VERSION }}
       - name: Run markdown link check

.github/workflows/docs.yaml

@@ -28,6 +28,8 @@ name: Deploy DataFusion site
 
 jobs:
   build-docs:
+    permissions:
+      contents: write
     name: Build docs
     runs-on: ubuntu-latest
     steps:

.github/workflows/rust.yml

@@ -42,6 +42,9 @@ on:
   # https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # Check crate compiles and base cargo check passes
   linux-build-lib:
@@ -430,7 +433,7 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -y -qq clang
       - name: Setup wasm-pack
-        uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486  # v2.75.18
+        uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a  # v2.75.23
         with:
           tool: wasm-pack
       - name: Run tests with headless mode
@@ -740,7 +743,7 @@ jobs:
         with:
           submodules: true
           fetch-depth: 1
-          
+
       - name: Mark repository as safe for git
         # Required for git commands inside container (avoids "dubious ownership" error)
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
@@ -770,7 +773,7 @@ jobs:
       - name: Setup Rust toolchain
         uses: ./.github/actions/setup-builder
       - name: Install cargo-msrv
-        uses: taiki-e/install-action@055f5df8c3f65ea01cd41e9dc855becd88953486  # v2.75.18
+        uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a  # v2.75.23
         with:
           tool: cargo-msrv