potiuk opened a new pull request, #133: URL: https://github.com/apache/airflow-steward/pull/133
## Summary When the operator's machine has a valid Vulnogram OAuth session (the one-time `vulnogram-api-setup` per machine), `security-issue-sync` now **pushes the regenerated CVE JSON to the record automatically** via `vulnogram-api-record-update` immediately after Step 5a's regen. The release manager's role on the hand-off comment shifts from *"please paste the JSON yourself"* to *"verify the record matches and click through the state transitions"*. State-machine transitions (`DRAFT → REVIEW → READY → PUBLIC`) stay human-driven because they include the CNA-feed dispatch trigger; only the data write becomes automatic. ## Three outcomes from `vulnogram-api-check` | Outcome | What sync does | |---|---| | `valid` | Run `vulnogram-api-record-update`. On success: record `PUSH_TIMESTAMP`, render the **OAuth-pushed** hand-off / publication-ready comment variant. On failure: surface the error verbatim, fall back to the manual-paste variant for this run. | | `expired` | Skip the push. Recap nudges: *"Vulnogram OAuth session expired — re-run `vulnogram-api-setup` to restore automatic push."* Manual-paste hand-off applies. | | `not-configured` | Skip the push silently. Today's manual-paste hand-off applies — not every operator runs the API path. | ## Files - **`.claude/skills/security-issue-sync/SKILL.md`** — new Steps 5b (OAuth push) and 5c (hand-off comment variant reconciliation). Step 2b sections for the hand-off and publication-ready comments now describe the variant choice; Step 4 apply mechanic now branches into PATCH-edit-in-place when the marker is found and the existing body's variant differs from the variant the current run would render. - **`tools/vulnogram/release-manager-handoff-comment-oauth-pushed.md`** (new) — OAuth-pushed variant of the hand-off comment. Same `<!-- apache-steward: release-manager-handoff v1 -->` marker as the manual-paste variant (idempotency detection unchanged); body asks the RM to verify + click through state transitions. - **`tools/vulnogram/release-manager-publication-comment-oauth-pushed.md`** (new) — OAuth-pushed variant of the publication-ready comment. Same marker as the manual-paste variant; body covers the `REVIEW → PUBLIC` move only (no manual paste). ## PATCH-edit-in-place rationale Per your direction: when a previous sync posted (say) the manual-paste hand-off and a subsequent sync's OAuth push succeeds, the existing comment is PATCH-edited in place to the OAuth-pushed body, preserving the comment URL, timeline position, and notifications. Same rationale as the rollup-comment PATCH-don't-post rule — a fresh duplicate comment buries the timeline. The flip works in either direction (OAuth-pushed → manual-paste if a future cookie expires), so the RM always sees the call-to-action that matches the current state of the record. ## Stacking Stacks on top of #131 (*"prefer primary reporter thread over forwarder"*); both touch `security-issue-sync/SKILL.md` but in different sections, no conflict. Rebase to main after #131 lands. ## Operational sweep on `airflow-s` trackers (Part B — deferred) Two trackers currently in the RM-owns-next state ([airflow-s#355](https://github.com/airflow-s/airflow-s/issues/355), [airflow-s#295](https://github.com/airflow-s/airflow-s/issues/295)) cannot be auto-pushed from this PR's session because `vulnogram-api-check` returned `not-configured` on the operator's machine. Once `vulnogram-api-setup` is run, re-invoking `/security-issue-sync 295,355` will exercise the new flow on both trackers — the hand-off comments will PATCH from manual-paste to OAuth-pushed in place. ## Test plan - [ ] Walk a sync run on a tracker without OAuth credentials → confirm manual-paste hand-off still posts (zero behavior change). - [ ] Walk a sync run on a tracker with `valid` OAuth + a real CVE → confirm `vulnogram-api-record-update` runs, the hand-off comment is rendered from the OAuth-pushed variant, and the rollup entry carries `PUSH_TIMESTAMP`. - [ ] Walk a re-sync after the cookie expires → confirm the existing OAuth-pushed comment PATCHes to manual-paste, and the recap nudges to re-run `vulnogram-api-setup`. - [ ] Confirm the publication-ready comment behaves the same way at Step 14. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
