justinmclean opened a new pull request, #207:
URL: https://github.com/apache/airflow-steward/pull/207
## What
Two policy gaps identified by checking the issue-* skill family
against the ASF Policy MCP:
1. **`issue-triage`** had no guard against posting a public comment
on an issue that turns out to be an undisclosed security
vulnerability.
2. **`issue-fix-workflow`** didn't mention the tool name in the
`Generated-by:` trailer example, and had no reminder to scrub
security-referencing language from commit messages.
## Changes
**`issue-triage/SKILL.md`**
- New Golden rule 8: requires the skill to scan for security signals
(RCE, auth bypass, CVE references, injection, etc.) before drafting
any public comment, surface a routing warning to
`security@<project>.apache.org`, and wait for explicit user
confirmation before continuing.
- New security screening section at the top of Step 3 so the check
is impossible to miss during classification.
**`issue-fix-workflow/SKILL.md`**
- Updated the `Generated-by:` trailer bullet to show the tool name
in the example, noting it as a recommended practice per the ASF
Generative Tooling guidance.
- New security language scrub bullet reminding the skill not to
reference the security nature of a change in commit messages, per
`security_committers` policy.
## Policy references
- https://www.apache.org/security/committers.html
- https://www.apache.org/legal/generative-tooling.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
