potiuk opened a new pull request, #225:
URL: https://github.com/apache/airflow-steward/pull/225
## Summary
Complete the post-advisory close-out chain by adding three new action
bullets to Step 4 (*Apply confirmed changes*) in
[`security-issue-sync/SKILL.md`](.claude/skills/security-issue-sync/SKILL.md).
This is the orchestration piece that ties together the three
previously-merged PRs:
| PR | Provides |
|---|---|
| #222 | Convention + handoff templates + Step 2b *Advisory archived*
trigger description |
| #223 | `vulnogram-api-record-publish` CLI (REVIEW → PUBLIC over the OAuth
API) |
| #224 | `release-manager-wrap-up-comment.md` template |
| **This PR** | The concrete per-action recipes Step 4 reads when executing
the combined apply |
## Three new Step 4 bullets
### Vulnogram state transition (REVIEW → PUBLIC)
```bash
uv run --project <framework>/tools/vulnogram/oauth-api \
vulnogram-api-record-publish --cve-id <CVE-YYYY-NNNNN>
```
Locked to the "Advisory archived on `<users-list>`" combined-apply trigger;
idempotent on already-PUBLIC; refuses unexpected states with exit 3.
### Advisory short-summary extraction
Fetches the archived advisory email body from `lists.apache.org`, extracts
the prose block between the CVE header line and the *Affected version range:*
block, surfaces in the Step 2 proposal so the user can spot misextraction
before the body-field update applies. Lands the summary into the *Short public
summary for publish* body field **before** the Step 5 JSON regen, so the
re-pushed JSON carries the published summary verbatim (lock-step with the body).
### Wrap-up comment (post-close)
Loads `release-manager-wrap-up-comment.md` (#224) and posts as the **last**
action of the combined apply. The conditional `MILESTONE_BULLET` placeholder is
resolved by a sibling-state check:
```bash
ms=$(gh issue view <N> --repo <tracker> --json milestone --jq
'.milestone.number // empty')
if [ -n "$ms" ]; then
open=$(gh issue list --repo <tracker> --milestone "$ms" --state open
--json number --jq 'length')
if [ "$open" -eq 0 ]; then
# Last-sibling case → substitute close-milestone link
...
else
bullet=""
fi
fi
```
Idempotent via the `<!-- apache-steward: release-manager-wrap-up v1 -->`
marker.
## Test plan
- [x] `skill-validate` pre-commit passes (verified).
- [ ] Live smoke test deferred to the first real post-advisory cycle that
exercises the combined apply — at that point the agent reads the new Step 4
bullets and runs the recipes against a real tracker. Worked examples already
landed adopter-side on airflow-s#295 and airflow-s#355 (handoff comments), but
those predate the SKILL.md wiring; the next real advisory cycle is the first
end-to-end test.
## Closes
End of the no-uv-run-for-RM + sync-drives-lifecycle-close-out arc upstream:
- #222 ✅ merged
- #223 ✅ merged
- #224 ✅ merged
- **This PR** ← closes the loop
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
