Synchronize GitHub workflows and Breeze tooling for 2.11 branch (#61598)

This commit synchronizes CI/CD infrastructure and development tooling
from the main branch to the 2.11 release branch, including:

GitHub Actions workflows:
- Pin GitHub actions to specific commit SHAs for security (actions/checkout@v4.3.1)
- Remove unnecessary 'secrets: inherit' declarations from workflow calls
- Add 'id-token: write' permission for prod image builds
- Update generate-constraints workflow with PyPI constraints support
- Remove unneeded 'recheck-old-bug-report' workflow

Breeze development tool updates:
- Upgrade Python minimum version from 3.9 to 3.10
- Update dependencies: black (>=25.0.0), packaging (>=25.0), pytest (>=8.3.3)
- Add 'prek' and 'restructuredtext-lint' dependencies
- Pin rich-click <1.9.0 to avoid breaking changes
- Unpin flit and flit-core versions for flexibility
- Update flit build-system requirement to >=3.11

Docker and CI infrastructure:
- Update Dockerfile base images and entrypoint scripts
- Refresh pre-commit hook configurations
- Update Breeze documentation and generated CLI output images

Code improvements:
- Add selective check for migration SQL files
- Update path utilities and test fixtures
- Refresh uv.lock with updated dependency resolution

The main point behind upgrading Python version to 3.10 is that
Python 3.9 is officially end-of-life and many of the dependencies
had already stopped releasing even security fixes for 3.9.

Since the upcoming 2.11.1 version is mainly a security-focused
release, we decided to drop support for Python 3.9 in order to
be able to upgrade all related dependencies to latest security
patch versions. There are absolutely minimal changes in behaviour
between Python 3.9 and 3.10 and we have not experienced virtually
any problems because of this - other than dependency issues, so
it should be very minimal overhead for anyone to upgrade to
Python 3.10 even if they used Python 3.9.

Author: potiuk

.github/actions/breeze/action.yml

@@ -21,7 +21,7 @@ description: 'Sets up Python and Breeze'
 inputs:
   python-version:
     description: 'Python version to use'
-    default: "3.9"
+    default: "3.10"
   use-uv:
     description: 'Whether to use uv tool'
     required: true
@@ -33,14 +33,16 @@ runs:
   using: "composite"
   steps:
     - name: "Setup python"
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
       with:
         python-version: ${{ inputs.python-version }}
     # NOTE! Installing Breeze without using cache is FASTER than when using cache - uv is so fast and has
     # so low overhead, that just running upload cache/restore cache is slower than installing it from scratch
     - name: "Install Breeze"
       shell: bash
       run: ./scripts/ci/install_breeze.sh
+      env:
+        PYTHON_VERSION: ${{ inputs.python-version }}
     - name: "Free space"
       shell: bash
       run: breeze ci free-space

.github/actions/install-pre-commit/action.yml

@@ -21,10 +21,10 @@ description: 'Installs pre-commit and related packages'
 inputs:
   python-version:
     description: 'Python version to use'
-    default: "3.9"
+    default: "3.10"
   uv-version:
     description: 'uv version to use'
-    default: "0.7.16"  # Keep this comment to allow automatic replacement of uv version
+    default: "0.9.11"  # Keep this comment to allow automatic replacement of uv version
   pre-commit-version:
     description: 'pre-commit version to use'
     default: "3.5.0"  # Keep this comment to allow automatic replacement of pre-commit version

.github/actions/post_tests_failure/action.yml

@@ -22,21 +22,21 @@ runs:
   using: "composite"
   steps:
     - name: "Upload airflow logs"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: airflow-logs-${{env.JOB_ID}}
         path: './files/airflow_logs*'
         retention-days: 7
         if-no-files-found: ignore
     - name: "Upload container logs"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: container-logs-${{env.JOB_ID}}
         path: "./files/container_logs*"
         retention-days: 7
         if-no-files-found: ignore
     - name: "Upload other logs"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: container-logs-${{env.JOB_ID}}
         path: "./files/other_logs*"

.github/actions/post_tests_success/action.yml

@@ -31,7 +31,7 @@ runs:
   using: "composite"
   steps:
     - name: "Upload artifact for warnings"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: test-warnings-${{ env.JOB_ID }}
         path: ./files/warnings-*.txt
@@ -44,7 +44,7 @@ runs:
         mkdir ./files/coverage-reports
         mv ./files/coverage*.xml ./files/coverage-reports/ || true
     - name: "Upload all coverage reports to codecov"
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238  # v4.6.0
       env:
         CODECOV_TOKEN: ${{ inputs.codecov-token }}
       if: env.ENABLE_COVERAGE == 'true' && env.TEST_TYPES != 'Helm' && inputs.python-version != '3.12'

.github/actions/prepare_all_ci_images/action.yml

@@ -36,12 +36,6 @@ runs:
     #       this should be implemented in stash action as list of keys to download.
     #       That includes 3.9 - 3.12 as we are backporting it to v2-11-test branch
     #       This is captured in https://github.com/apache/airflow/issues/45268
-    - name: "Restore CI docker image ${{ inputs.platform }}:3.9"
-      uses: ./.github/actions/prepare_single_ci_image
-      with:
-        platform: ${{ inputs.platform }}
-        python: "3.9"
-        python-versions-list-as-string: ${{ inputs.python-versions-list-as-string }}
     - name: "Restore CI docker image ${{ inputs.platform }}:3.10"
       uses: ./.github/actions/prepare_single_ci_image
       with:

.github/workflows/additional-ci-image-checks.yml

@@ -102,7 +102,6 @@ jobs:
       # This write is only given here for `push` events from "apache/airflow" repo. It is not given for PRs
       # from forks. This is to prevent malicious PRs from creating images in the "apache/airflow" repo.
       packages: write
-    secrets: inherit
     with:
       runs-on-as-json-public: ${{ inputs.runs-on-as-json-public }}
       runs-on-as-json-self-hosted: ${{ inputs.runs-on-as-json-self-hosted }}
@@ -138,7 +137,7 @@ jobs:
         shell: bash
         run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           persist-credentials: false
       - name: "Cleanup docker"
@@ -165,7 +164,6 @@ jobs:
 #    permissions:
 #      contents: read
 #      packages: write
-#    secrets: inherit
 #    with:
 #      platform: "linux/arm64"
 #      push-image: "false"

.github/workflows/additional-prod-image-tests.yml

@@ -111,7 +111,7 @@ jobs:
         shell: bash
         run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           fetch-depth: 2
           persist-credentials: false
@@ -151,7 +151,7 @@ jobs:
         shell: bash
         run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/automatic-backport.yml

@@ -37,7 +37,7 @@ jobs:
 
       - name: Find PR information
         id: pr-info
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b  # v7.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/backport-cli.yml

@@ -53,7 +53,7 @@ jobs:
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
         id: checkout-for-backport
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           persist-credentials: true
           fetch-depth: 0

.github/workflows/ci-image-build.yml

@@ -126,7 +126,7 @@ jobs:
         shell: bash
         run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
       - name: "Checkout target branch"
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           persist-credentials: false
       - name: "Cleanup docker"