potiuk opened a new pull request, #222:
URL: https://github.com/apache/airflow-steward/pull/222
## Summary
Reshape the release-manager hand-off contract so the RM's surface is
**Vulnogram-UI clicks, reviewer-thread responses, and the advisory send** —
nothing else. The CVE-record API push and the entire post-advisory lifecycle
close-out are driven by `security-issue-sync` on the archive-URL signal.
Three coupled changes:
1. **Drop `uv run` invocations from RM-facing instructions** in both
hand-off templates. The CVE-record API push (and any re-push triggered by a
body change) is run by the security team during sync via
`vulnogram-api-record-update`, not by the RM. Even in the manual-paste fallback
variant, the RM only pastes JSON in the `#source` UI; the API tooling is not
exposed.
2. **Sync drives the entire post-advisory lifecycle close-out.** On the next
sync run after the advisory lands in the users-list archive, the skill — in a
single combined apply triggered by the archive-URL signal — does all of:
- Capture the URL into the *Public advisory URL* body field.
- **Extract the public-facing short summary from the advisory email
body** and write it back to the *Short public summary for publish* body field,
so the tracker matches what actually shipped.
- Flip the tracker labels (`fix released → announced - emails sent +
announced`).
- Regenerate and re-push the CVE JSON.
- **Move the Vulnogram record `REVIEW → PUBLIC` via the OAuth API.**
Formerly a manual Step-15 click; now driven by sync since the archive URL is
the real-world signal that the advisory has actually shipped.
- Move the project board to the `Announced` column.
- Close the tracker.
3. **Sync posts a conditional wrap-up comment** tagging the RM with the
residual manual steps: archive the now-closed tracker from the `Announced`
column, and — **only if every sibling on the tracker's milestone is also closed
at that moment** — close the milestone via the URL the comment carries.
The previous framing of `REVIEW → PUBLIC` as "intentionally human-only" is
reversed. The gate is now "published archive URL captured", which collapses RM
workflow to a small handful of clicks and one reviewer-thread response.
## Changes in this PR
-
[`tools/vulnogram/release-manager-handoff-comment-oauth-pushed.md`](tools/vulnogram/release-manager-handoff-comment-oauth-pushed.md)
fully rewritten: 7 RM-facing steps, no `uv run` blocks, Step 6 documents the
auto-publish flow, Step 7 follows the wrap-up comment.
-
[`tools/vulnogram/release-manager-handoff-comment.md`](tools/vulnogram/release-manager-handoff-comment.md)
(manual-paste variant) reworked to match the same 7-step RM-facing shape with
paste-into-`#source`-UI as the fallback when OAuth is unavailable. Still no `uv
run` invocations RM-facing.
-
[`.claude/skills/security-issue-sync/SKILL.md`](.claude/skills/security-issue-sync/SKILL.md)
— Step 2b's advisory-archive row rewritten as the combined-apply trigger;
lifecycle-states table updated to reflect the collapsed 14 → 15 transition.
## Implementation TBD
This PR is the **convention update**. The matching implementation lands in a
follow-up PR:
- New tool: `vulnogram-api-publish` (REVIEW → PUBLIC via OAuth API).
- Sync code to extract the public short summary from the archived advisory
email body.
- Sync code to flip labels (`fix released → announced - emails sent +
announced`) on the archive-URL signal.
- Sync code to close the tracker as part of the combined apply.
- Sync code to compose + post the conditional wrap-up comment (with the
milestone URL when last-sibling).
The convention documented here is the **target state**. Reviewers can land
the doc changes first; the implementation can land alongside or follow.
## Worked examples (adopter dry-run)
The Apache Airflow security team applied the same convention as an
`.apache-steward-overrides` series today against
[airflow-s/airflow-s](https://github.com/airflow-s/airflow-s) (#427, #428, #429
merged in sequence). Two trackers carry handoff comments edited in place to the
new shape:
- [airflow-s#295
(CVE-2026-27173)](https://github.com/airflow-s/airflow-s/issues/295#issuecomment-4426567686)
- [airflow-s#355
(CVE-2026-42526)](https://github.com/airflow-s/airflow-s/issues/355#issuecomment-4426663404)
Both show the post-edit RM-facing shape and pair with the framework
templates updated here.
## Test plan
- [ ] Existing skill-validate / link-check pre-commit hooks pass.
- [ ] No new `uv run` invocations in either handoff template's RM-facing
body.
- [ ] Template TOCs regenerate cleanly.
- [ ] Implementation follow-up PR will carry the actual code + sandbox
tests; this PR is doc-only.
## Co-changes
Once this PR merges, the Apache Airflow adopter's local override at
[`airflow-s/airflow-s
.apache-steward-overrides/security-issue-sync.md`](https://github.com/airflow-s/airflow-s/blob/airflow-s/.apache-steward-overrides/security-issue-sync.md)
becomes redundant and can be removed via `/setup-override-upstream`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
