potiuk opened a new pull request, #295: URL: https://github.com/apache/airflow-steward/pull/295
## Summary - Adds a "courtesy reply to the reviewer" sub-pattern to `security-issue-sync` Step 1e — when sync addresses a Vulnogram reviewer comment via a body-field update + JSON re-push, also propose a short Gmail draft on the reviewer's notification thread asking them to re-review. - Updates the matching Step 2b table-row pointer so readers of the signal table see the courtesy-reply pattern alongside the existing field-mapping table. - Restricted to comments that mapped cleanly to a body-field update; judgement-call comments stay on the existing "surface verbatim for human resolution" path. ## Motivation When a reviewer (e.g. an ASF Security PMC member) leaves a comment on a CVE record via Vulnogram, the comment arrives as a "Comment added on `<CVE-ID>`" Gmail notification on `<security-list>`. The existing Step 1e flow correctly: 1. Detects the comment from the Gmail thread. 2. Maps it to a body-field update on the tracker. 3. Regenerates and re-pushes the CVE JSON. But the reviewer has **no signal that the record changed** — Vulnogram does not auto-notify reviewers of record updates. Without a courtesy reply on the original notification thread, the reviewer's comment can sit unresolved for days simply because they have no reason to re-open the Vulnogram UI. Encountered this in practice when @pkarwasz left a comment on CVE-2026-48726 asking for the description to be expanded; the sync flow correctly addressed the comment via a body update, but it took an explicit courtesy reply on the notification thread to close the loop (otherwise Piotr would have had to wait until he happened to check Vulnogram again). ## Migration path for existing adopters No new config knob. No default change. This is an additional draft proposal that fires only when the Step 1e detection found an open reviewer comment that mapped to a body-field update — same trigger as the existing body-update proposal. Adopters who do not want the courtesy reply can override `security-issue-sync.md` to suppress it; the default is "always propose, never send". ## Test plan - [x] Manually walked the flow this session (CVE-2026-48726 / tracker airflow-s/airflow-s#438): reviewer comment detected → body update proposed and applied → JSON regenerated + pushed via `vulnogram-api-record-update` → courtesy reply draft created on the notification thread. End-to-end works with the existing `claude_ai_mcp` draft backend. - [x] `prek run --files .claude/skills/security-issue-sync/SKILL.md` — passed (skill-validate green, no placeholder leaks). - [ ] Reviewer to confirm the placement of the new paragraph reads naturally alongside the existing "Open the CVE record at `<URL>` and resolve the review comment" RM-facing reminder above it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
