potiuk opened a new pull request, #379: URL: https://github.com/apache/airflow-steward/pull/379
## Summary Three refinements to the reporter-notification rule for close-as-invalid trackers in `security-issue-invalidate`: 1. **CVE-ID in body for `duplicate` dispositions** — per Arnout Engelen's 2026-05-29 message (Kyuubi SSRF context): closing-as-duplicate replies MUST name the canonical CVE-YYYY-NNNNN so ASF Security can group threads. 2. **Two named no-draft-owed exceptions** — internal audit findings (no inbound); GHSA-relay-only with operator holding GHSA-write access (advisory itself carries closure). 3. **New GHSA-relay-without-write-access case** — when the operator can't comment on the GHSA, the closure relays via ASF Security per \`tools/gmail/asf-relay.md\` (clickable URL + paste-ready reporter-voice block). Step 5e rollup terminal entry now requires one of seven explicit notification states; ambiguous channels block the close. ## Test plan - [x] Manual review of the three sub-step changes (Step 5d intro skip-cases, Step 5d.3 body augmentation, Step 5e rollup-entry shape) - [ ] Apply to next close-as-invalid tracker on \`airflow-s/airflow-s\` to confirm the rollup-entry shape works for both direct + via-forwarder + the new GHSA-relay-without-write paths ## Notes for reviewers - The \`gh api repos/<upstream>/security-advisories/<GHSA-ID>\` probe is the operator-write-access verification — non-403 means write access. - The asf-relay shape was added in [PR #375](https://github.com/apache/airflow-steward/pull/375); this PR reuses that contract for the GHSA-without-write case. - Backed by a session audit of 7 of 11 Jan-Apr 2026 closed-invalid trackers on \`airflow-s/airflow-s\` — every confirmed case had a direct rejection reply sent in practice; this codifies the implicit rule. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
