potiuk opened a new pull request, #223:
URL: https://github.com/apache/airflow-steward/pull/223
## Summary
Add `vulnogram-api-record-publish` — a new CLI that drives the `REVIEW →
PUBLIC` state transition over the OAuth API. Companion to the existing
`vulnogram-api-record-update` (which is content-only) and motivated by the
convention update in #222 (RM handoff: no shell commands; sync drives the
post-advisory close-out).
## Why
Before this PR, the `REVIEW → PUBLIC` transition was the last manual step in
the security lifecycle — a Vulnogram UI button click, intentionally human-only
because of the CNA-feed dispatch side effect. The new convention from #222
reverses that: on the "published archive URL captured" signal (the advisory
provably shipped on `<users-list>`), `security-issue-sync` now drives the
publish over the OAuth API. This PR provides the tool that the sync step calls.
## Design
Intentionally narrow — `record_publish` only flips `CNA_private.state` to
`"PUBLIC"`, preserving every other field. The existing `record_update` accepts
arbitrary JSON which is the wrong shape for a state-transition (a content edit
could smuggle through the publish path).
1. Fetch the current stored JSON via `get_record`.
2. Refuse the transition unless the current state is in the accepted set
(default `{"REVIEW"}`; `--allow-state` widens it for cases like `READY →
PUBLIC`).
3. Set `CNA_private.state = "PUBLIC"`.
4. POST via `update_record`.
Idempotent on records already in `PUBLIC` (exit 0 with an informational
message). Refuses unexpected states with exit 3 — a sync that re-runs the
publish on an already-published tracker is a bug, not a no-op.
## CLI
```text
vulnogram-api-record-publish --cve-id CVE-YYYY-NNNNN [--allow-state STATE]*
[--dry-run]
```
Exit codes mirror `record_update`: 0 success / 2 session expired / 3
unexpected state / 4 CSRF / 5 save failed / 6 other API error / 7 unexpected
envelope.
## Tests
Seven `tests/test_record_publish.py` cases, all pass:
- Invalid CVE-ID form → rejected pre-network.
- Already `PUBLIC` → no-op, exit 0.
- Unexpected state → refusal with the observed state name, exit 3.
- `--allow-state REVIEW --allow-state READY` widens the accepted set.
- `--dry-run` reports without POSTing.
- Apply path flips `state` to `PUBLIC` and POSTs once with the correct
document.
- `SessionExpired` from `get_record` returns exit 2.
```
$ uv run pytest tests/test_record_publish.py
.......
[100%]
7 passed in 0.03s
```
Stdlib-only at runtime — consistent with the rest of `vulnogram-api`.
## Relationship to other PRs in this arc
- #222 — convention + documentation update. Describes the post-advisory
close-out flow the new tool participates in. **This PR is the matching code
piece.**
- (Future) sync-skill code update — extend `security-issue-sync` to actually
call `vulnogram-api-record-publish` on the archive-URL signal, compose the
wrap-up comment, flip labels, close the tracker. Lands once #222 + this PR land.
## Test plan
- [x] `uv run pytest tests/test_record_publish.py` passes (all 7).
- [x] `uv run ruff format` / `ruff check` pass (verified via pre-commit).
- [x] `uv run mypy` passes (verified via pre-commit).
- [ ] Live smoke test against `cveprocess.apache.org` deferred to a
follow-up — requires a CVE record in `REVIEW` state and an authenticated
session; PR author will exercise once #222 lands and the next live advisory is
dispatched.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
