potiuk opened a new pull request, #497: URL: https://github.com/apache/airflow-steward/pull/497
## Summary - `security-issue-import` **Step 2b** now runs an **unconditional closed-invalid tracker cross-check** on every surviving candidate — in addition to the existing (conditional) Gmail prior-rejection search. - A report that is a near-twin of a tracker the team already closed as invalid (matching on component **and** bug-class) is surfaced as a `reject-with-canned` precedent in the Step 5 proposal, with the precedent tracker linked. - New `step-2b` eval `case-4-closed-invalid-tracker` (including the loose-keyword-tracker exclusion) + two new output fields. ## Motivation Upstreams Override 2 of the Apache Airflow security team's adopter (`.apache-magpie-overrides/security-issue-import.md`). The framework's Step 2b only searched the *mailing-list* archive for prior rejections, and only on candidates already heading for a negative disposition. The adopter found the higher-signal check is the *closed-as-invalid tracker* scan — "we already opened and rejected a near-twin of this" — and that it pays to run it on **every** candidate, since the operator otherwise re-discovers the precedent by hand during triage. The two searches are complementary: the tracker scan catches "we rejected a near-twin as a tracker"; the mail search catches "we answered this on-thread without ever opening a tracker." ## Shape (per setup-override-upstream Step 4) **Refactor existing step** — Step 2b is enhanced, no new config knob. The closed-invalid label names come from the existing `<project-config>/scope-labels.md` → *Closing dispositions* section, so the behaviour is universal and project-agnostic. The airflow-specific worked example (`#230` Teradata) and literal `invalid` / `not CVE worthy` label strings from the override are dropped in favour of the `<project-config>` reference. ## Migration path for existing adopters Additive. Adopters already declare their closing-disposition labels in `<project-config>/scope-labels.md`; the cross-check reads those. Nothing to opt out of; no behaviour removed. ## Test plan - `prek run` green on all touched files (skill-and-tool-validate / capability sync, markdownlint, typos, placeholders, license). - New eval `tools/skill-evals/evals/security-issue-import/step-2b-prior-rejection/case-4-closed-invalid-tracker` asserts: a closed-invalid tracker matching on component AND bug-class is a reject precedent; a tracker sharing only a loose keyword is correctly excluded. - `lychee --offline` clean for the changed files (the only flagged links are the framework's `<project-config>` placeholder tokens, excluded by `.lychee.toml`). - Validated against the airflow-s adopter's live import runs. Generated-by: Claude Code (Claude Opus 4.8) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
