potiuk opened a new pull request, #214: URL: https://github.com/apache/airflow-steward/pull/214
## Summary When a `<security-list>` report arrives describing behaviour that an independent public PR in `<upstream>` already appears to fix, the project's existing policy (inherited from [`security-issue-import-from-pr`](https://github.com/apache/airflow-steward/blob/main/.claude/skills/security-issue-import-from-pr/SKILL.md#reporter-credit-policy-for-public-pr-imports)) applies: thank the reporter, do **not** award finder credit, point at the PR, and ask them to verify whether it addresses what they reported. Previously the skills had no handle for this case — `security-issue-triage` would classify the resulting tracker into one of the existing five classes and the no-credit policy was easy to miss; worse, `security-issue-import` would default to creating a tracker that was destined to be closed. This PR introduces a **two-layer fix**: - **`security-issue-import` — pre-import gate (so we don't create the tracker unnecessarily).** A new **Step 2c** searches `<upstream>` for an already-public fix (reporter-linked PR, code-pointer + vulnerability-class match, GHSA cross-ref). A new `fix-already-public` classification does **not** default to import, comes with an explicit reply shape (thank without credit + verify-with-PR + come-back-if-not-fixed), and exposes a `NN:reject-with-public-fix <PR-URL>` user override for the cases automatic detection misses. Step 7 drafts the Gmail reply but creates no tracker; the PR stays unaware of the private report (no-outreach posture mirrored from `security-issue-import-from-pr`). - **`security-issue-triage` — safety net (when the import was already created before the public PR was noticed).** A new sixth disposition class `FIX-ALREADY-PUBLIC` cites the PR, drafts a reporter-reply template, and routes to `/security-issue-invalidate` after the reporter confirms the PR fixes their report (or to `--retriage` if they say it does not). Docs updated to reflect the new class and its routing: `docs/security/process.md`, `docs/security/README.md`, `AGENTS.md`. ## Files changed - `.claude/skills/security-issue-import/SKILL.md` — Step 2c, `fix-already-public` row in Step 3, reply shape + `reject-with-public-fix` override in Step 5/6, Step 7 application logic. - `.claude/skills/security-issue-triage/SKILL.md` — 6th disposition class with detection criteria, policy reference, draft reply template, sibling-skill routing. - `AGENTS.md`, `docs/security/process.md`, `docs/security/README.md` — sync the class enumerations and routing tables. ## Test plan - [x] `prek run --all-files` — clean - [x] `skill-validate` — no violations - [ ] Reviewer-eyes pass on the new reply template (does the thank-without-credit wording land as polite-but-firm in the project's tone?) - [ ] Reviewer sanity-check on the *PR-was-filed-in-response* guard heuristics in Step 2c — does the current triage-time-vs-PR-creation-time rule cover the common cases? 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
