apache · raushanprabhakar1 · May 14, 2026 · hubcio · May 14, 2026 · hubcio
diff --git a/.github/actions/python-maturin/pre-merge/action.yml b/.github/actions/python-maturin/pre-merge/action.yml
@@ -83,6 +83,10 @@ runs:
         echo "Running mypy on SDK..."
         uv run mypy --explicit-package-bases "$DIR_SDK"
         echo "mypy version: $(uv run mypy --version)"
+
+        echo "Running pyrefly on SDK..."
+        uv run pyrefly check
+        echo "pyrefly version: $(uv run pyrefly --version)"
       shell: bash
 
     - name: Build Python wheel with coverage instrumentation

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -87,6 +87,20 @@ repos:
         files: ^(foreign|bdd|examples)/python/(pyproject\.toml|uv\.lock)$
         pass_filenames: false
 
+      - id: uv-audit
+        name: uv audit (python dependencies)
+        entry: ./scripts/ci/uv-audit.sh
+        language: system
+        files: ^(foreign|bdd|examples)/python/(pyproject\.toml|uv\.lock)$
+        pass_filenames: false
+
+      - id: pyrefly
+        name: pyrefly (python sdk)
+        entry: ./scripts/ci/pyrefly-check.sh
+        language: system
+        files: ^foreign/python/(tests/.*\.py|apache_iggy\.pyi|pyproject\.toml)$
+        pass_filenames: false
+
       - id: version-consistency
         name: version consistency
         entry: ./scripts/extract-version.sh

diff --git a/bdd/python/uv.lock b/bdd/python/uv.lock
diff --git a/examples/python/uv.lock b/examples/python/uv.lock
diff --git a/foreign/python/pyproject.toml b/foreign/python/pyproject.toml
@@ -78,6 +78,10 @@ include = [
     ] },
 ]
 
+[tool.uv]
+exclude-newer = "7 days"
+exclude-newer-package = { urllib3 = false, pyrefly = false }
+
 [project.optional-dependencies]
 # Core testing dependencies
 testing = [
@@ -97,6 +101,7 @@ dev = [
     "black>=23.0,<27.0",
     "isort>=5.12.0,<6.0",
     "mypy>=1.5.0,<2.0",
+    "pyrefly>=1.0.0,<2.0",
     "ruff>=0.1.0,<1.0",
 ]
 
@@ -113,9 +118,17 @@ all = [
     "black>=23.0,<27.0",
     "isort>=5.12.0,<6.0",
     "mypy>=1.5.0,<2.0",
+    "pyrefly>=1.0.0,<2.0",
     "ruff>=0.1.0,<1.0",
 ]
 
+[tool.pyrefly]
+python-version = "3.10.0"
+preset = "legacy"
+project-includes = ["tests", "apache_iggy.pyi"]
+disable-search-path-heuristics = true
+search-path = ["."]
+
 [tool.pytest.ini_options]
 asyncio_mode = "auto"
 asyncio_default_fixture_loop_scope = "session"

diff --git a/foreign/python/uv.lock b/foreign/python/uv.lock
diff --git a/scripts/ci/pyrefly-check.sh b/scripts/ci/pyrefly-check.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -euo pipefail
+
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+if ! command -v uv >/dev/null 2>&1; then
+    echo -e "${RED}Error: uv is required but not installed${NC}"
+    echo -e "${YELLOW}Install with: curl -LsSf https://astral.sh/uv/install.sh | sh${NC}"
+    echo -e "${YELLOW}Or use: brew install uv${NC}"
+    exit 127
+fi
+
+cd "$REPO_ROOT/foreign/python"
+uv run pyrefly check
diff --git a/scripts/ci/uv-audit.sh b/scripts/ci/uv-audit.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cd "$REPO_ROOT"
+
+if ! command -v uv >/dev/null 2>&1; then
+    echo -e "${RED}Error: uv is required but not installed${NC}"
+    echo -e "${YELLOW}Install with: curl -LsSf https://astral.sh/uv/install.sh | sh${NC}"
+    echo -e "${YELLOW}Or use: brew install uv${NC}"
+    exit 127
+fi
+
+PYTHON_DIRS=(
+    "foreign/python"
+    "bdd/python"
+    "examples/python"
+)
+
+FAILED=0
+
+for dir in "${PYTHON_DIRS[@]}"; do
+    if [ ! -f "$dir/uv.lock" ]; then
+        continue
+    fi
+
+    echo -e "${GREEN}uv audit: $dir${NC}"
+    if ! (cd "$dir" && uv audit --frozen --preview-features audit); then
+        FAILED=1
+    fi
+done
+
+if [ "$FAILED" -ne 0 ]; then
+    echo ""
+    echo -e "${RED}uv audit reported vulnerabilities (see output above)${NC}"
+    exit 1
+fi