potiuk opened a new pull request, #431: URL: https://github.com/apache/airflow-steward/pull/431
## Summary - Bulk-mode gather subagents now determine *advisory-shipped* from the authoritative `users@` mailing-list archive + cve.org publication state — never from the tracker body's *Public advisory URL* field / `announced` label. - Adds `advisory_shipped` / `advisory_url` / `cve_published` to the subagent report shape; the orchestrator buckets a `fix released` tracker whose CVE is already public into the Step 14→15 close-out regardless of body-field lag. ## Motivation On a real bulk `sync all` run, two announced trackers (advisories shipped to `users@`, CVEs already PUBLISHED on cve.org) were read by their gather subagents as "parked / advisory not yet sent" because they trusted the lagging tracker body (empty *Public advisory URL*, no `announced` label). They were excluded from the close-out batch and left stranded open on their milestone, blocking the milestone close. `gather.md` already documents the archive-scan trigger (Step 1d), but the bulk-mode subagent contract didn't enforce it — so subagent thoroughness was inconsistent. This bakes the check into the contract. Originated as a local adopter override in the Apache Airflow security tracker; upstreaming so every adopter benefits. ## Migration path No config knob, no opt-out needed. Gather subagents do one extra read-only archive search per `cve allocated` tracker. No behaviour change for adopters who don't run bulk mode. ## Test plan `prek run --files .claude/skills/security-issue-sync/bulk-mode.md` → all hooks pass (markdownlint, typos, check-placeholders, skill-and-tool-validate). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
