From 550dd8e84a90a22cd76e44474e7bb3208633a862 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Tue, 2 Sep 2025 14:15:15 +0000
Subject: [PATCH] airflow-3/3.0.6-r1: fix GHSA-pph8-gcv7-4qj5
 <!--ci-cve-scan:must-fix: GHSA-pph8-gcv7-4qj5-->

---
 airflow-3.yaml                | 4 +++-
 airflow-3/cargobump-deps.yaml | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 airflow-3/cargobump-deps.yaml

diff --git a/airflow-3.yaml b/airflow-3.yaml
index e1378af9993..b44c60f4cf0 100644
--- a/airflow-3.yaml
+++ b/airflow-3.yaml
@@ -1,7 +1,7 @@
 package:
   name: airflow-3
   version: "3.0.6"
-  epoch: 1
+  epoch: 2 # GHSA-pph8-gcv7-4qj5
   description: Platform to programmatically author, schedule, and monitor workflows
   options:
     #  There is a dependency on libarrow.so although it
@@ -85,6 +85,8 @@ pipeline:
       tag: ${{package.version}}
       expected-commit: e965c2e676d85ced65a485d4b2601addc2fd3e97
 
+  - uses: rust/cargobump
+
   - uses: patch
     with:
       patches: |
diff --git a/airflow-3/cargobump-deps.yaml b/airflow-3/cargobump-deps.yaml
new file mode 100644
index 00000000000..a4a281b3199
--- /dev/null
+++ b/airflow-3/cargobump-deps.yaml
@@ -0,0 +1,3 @@
+packages:
+  - name: pyo3
+    version: 0.24.1