potiuk opened a new pull request, #255:
URL: https://github.com/apache/airflow-steward/pull/255
## Summary
Changes the `pr merged → fix released` hand-off so the release manager
**never** receives a hand-off comment while the CVE record is still in `DRAFT`
state.
- New template:
`tools/vulnogram/remediation-developer-fill-fields-comment.md` — fires at Step
11 (pr merged) and Step 12 (fix released) when CVE body fields are incomplete
OR the CVE record state is still `DRAFT` after sync's JSON push attempt. Tags
the remediation developer; issue stays assigned to them until the gate clears.
- Both `release-manager-handoff-comment{,-oauth-pushed}.md` rewritten: drop
the `DRAFT` branch from Step 1; assert "you will never see this comment in
`DRAFT` state"; clearer step-by-step UI actions.
- `.claude/skills/security-issue-sync/SKILL.md` updated: two-stage gate
(body fields populated + CVE state == REVIEW), Step 1d table rows describing
both firing points of the fill-fields comment, new Step 5b.6 (post-push state
verification).
## Why
A live release manager on the Apache Airflow security tracker hit the
existing hand-off comment and replied: *"I just do not understand the process
probably. I am lost. Unsure what the agent now did and what I need to do."*
Root cause: the existing template branches the RM through "if state is `DRAFT`,
do X; if `REVIEW`, do Y" — putting the state-detection burden on the RM. Per
the security-team maintainer feedback, the RM should never make state
decisions: either the record is ready for them (`REVIEW` state + all six body
fields populated) or it stays with the remediation developer.
The fix moves the DRAFT → REVIEW state-advance responsibility from the RM to
**sync**:
- At the **`pr created → pr merged`** transition (Step 11): sync checks the
six mandatory body fields (`CWE`, `Affected versions`, `Severity`, `Reporter
credited as`, `Short public summary for publish`, `PR with the fix`). If any is
empty, post the new fill-fields comment tagging the remediation developer with
the concrete missing list.
- At the **`pr merged → fix released`** transition (Step 12): sync pushes
the JSON via `vulnogram-api-record-update` with `body.CNA_private.state =
"REVIEW"`, then verifies the record state actually advanced. If still `DRAFT`
(push blocked, schema rejection, body field still empty), re-fire the
fill-fields comment. **Do not** fire the RM hand-off, do not flip the label, do
not swap assignees.
- The RM hand-off comment fires **only** when sync confirms `state ==
REVIEW`. The template asserts this invariant in its body so any misfire is
recognizable to the RM.
## What's not in this PR
- **`vulnogram-api-record-fetch` CLI** — referenced in the new Step 5b.6
verification, but not yet implemented. Sync will need to either fall back to
extracting the saved-state from `vulnogram-api-record-update`'s response
envelope (which already includes `CNA_private.state`), or this CLI lands in a
follow-up PR.
- **Generator support for setting `state: "REVIEW"` in the pushed JSON** —
`generate-cve-json` currently defaults to `state: DRAFT`. Auto-promote requires
either a generator flag or sync post-processing the JSON before push.
Implementation TBD; the SKILL documents the desired behaviour.
- **Publication-ready template UX rewrite** — same treatment as the hand-off
templates is planned but not in this PR; will follow as a separate PR once the
hand-off changes settle.
- **`tools/vulnogram/record.md` state-machine section update** — needs to
reflect that sync now auto-promotes DRAFT → REVIEW; not yet updated here.
## Test plan
- [ ] Manual rendering check: re-render both hand-off templates with the
substitution placeholders, eyeball for readability.
- [ ] Walk through the new flow on a fresh tracker (e.g. the next `cve
allocated` tracker reaching `pr merged`):
- All 6 fields filled at pr-merged → fill-fields comment NOT fired; the
existing CVE-tool comment apply still proceeds.
- Any field missing at pr-merged → fill-fields comment posted, tagging
remediation developer.
- Field filled between sync runs → fill-fields comment PATCH-flipped (not
duplicated) with refreshed missing-list.
- Body fields all filled but JSON push failed → fill-fields comment
re-fires with the push-failure description.
- [ ] No breaking change to idempotency: the markers `<!-- apache-steward:
release-manager-handoff v1 -->` (both variants) stay the same; only the body
content changed.
- [ ] The new fill-fields template's marker `<!-- apache-steward:
remediation-developer-fill-fields v1 -->` is unique to this template.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
