Bump apache-airflow from 2.10.5 to 3.1.3

[dependabot]

Bumps apache-airflow from 2.10.5 to 3.1.3.

Release notes

Sourced from apache-airflow's releases.

Apache Airflow 3.1.3

📦 PyPI: https://pypi.org/project/apache-airflow/3.1.3/ 📚 Docs: https://airflow.apache.org/docs/apache-airflow/3.1.3/ 🛠 Release Notes: https://airflow.apache.org/docs/apache-airflow/3.1.3/release_notes.html 🐳 Docker Image: "docker pull apache/airflow:3.1.3" 🚏 Constraints: https://github.com/apache/airflow/tree/constraints-3.1.3

Significant Changes

Fix Connection & Variable access in API server contexts (plugins, log handlers)(#56583)

Previously, hooks used in API server contexts (plugins, middlewares, log handlers) would fail with an ImportError for SUPERVISOR_COMMS, because SUPERVISOR_COMMS only exists in task runner child processes.

This has been fixed by implementing automatic context detection with three separate secrets backend chains:

Context Detection:

1. Client contexts (task runner in worker): Detected via SUPERVISOR_COMMS presence
2. Server contexts (API server, scheduler): Explicitly marked with _AIRFLOW_PROCESS_CONTEXT=server environment variable
3. Fallback contexts (supervisor, unknown contexts): Neither marker present, uses minimal safe chain

Backend Chains:

• Client: EnvironmentVariablesBackend → ExecutionAPISecretsBackend (routes to Execution API via SUPERVISOR_COMMS)
• Server: EnvironmentVariablesBackend → MetastoreBackend (direct database access)
• Fallback: EnvironmentVariablesBackend only (+ external backends from config like AWS Secrets Manager, Vault)

The fallback chain is crucial for supervisor processes (worker-side, before task runner starts) which need to access external secrets for remote logging setup but should not use MetastoreBackend (to maintain worker isolation).

Architecture Benefits:

• Workers (supervisor + task runner) never use MetastoreBackend, maintaining strict isolation
• External secrets backends (AWS Secrets Manager, Vault, etc.) work in all three contexts
• Supervisor falls back to Execution API client for connections not found in external backends
• API server and scheduler have direct database access for optimal performance

Impact:

• Hooks like GCSHook, S3Hook now work correctly in log handlers and plugins
• No code changes required for existing plugins or hooks
• Workers remain isolated from direct database access (network-level DB blocking fully supported)
• External secrets work everywhere (workers, supervisor, API server)
• Robust handling of unknown contexts with safe minimal chain

See: [#56120](https://github.com/apache/airflow/issues/56120) <https://github.com/apache/airflow/issues/56120>, [#56583](https://github.com/apache/airflow/issues/56583) <https://github.com/apache/airflow/issues/56583>, [#51816](https://github.com/apache/airflow/issues/51816) <https://github.com/apache/airflow/issues/51816>__

Remove insecure dag reports API endpoint that executed user code in API server (#56609)

... (truncated)

Commits

• df94ff6 Update RELEASE_NOTES.rst
• 1653fa1 Update Airflow version to 3.1.3 and Task SDK to 1.1.3
• 8c8fb58 [v3-1-test] fix: HITL params not validating (#57547) (#58144)
• 4544c1e [v3-1-test] CI: Upgrade important CI environment (#58164) (#58170)
• 154d48c [v3-1-test] Convert all airflow distributions to be compliant with ASF requir...
• 3bbb78e [v3-1-test] Update Release instruction to include Task SDK version update (#5...
• 3f80b65 [v3-1-test] Remove deprecation warning in common test utils (#58152) (#58166)
• d226301 [v3-1-test] close spanish gap airflow 3.1 (#58117) (#58151)
• 03fc7a0 close catalan gap (#58109)
• a6bbf45 [v3-1-test] Enable PT006 rule to dev (#57834) (#57890)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)