This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 841b8f0d fix(template): replace hardcoded Airflow identity with
placeholders in project.md (#506) (#507)
841b8f0d is described below
commit 841b8f0d0f32d239f2f37dffb2862d5ad60dbd6b
Author: Jarek Potiuk <[email protected]>
AuthorDate: Fri Jun 12 02:25:51 2026 +0200
fix(template): replace hardcoded Airflow identity with placeholders in
project.md (#506) (#507)
The project-agnostic scaffold `projects/_template/project.md` carried
live Apache Airflow identity in several CVE / version-extraction config
*values* (not just in `# ASF/Airflow default:` example comments). A fresh
adopter copying the template inherited Airflow's identity in fields that
drive CVE-JSON generation and version extraction, instead of a
placeholder they are prompted to fill.
Replace the five flagged values with `<placeholder>` tokens consistent
with the existing H1 title convention, preserving the
`# ASF/Airflow default:` documentation comments:
- cve scope `product` (airflow / providers) → "<Product Name>"
- cve scope `product` (chart) → "<Secondary Product Name>"
- release_process `name` → <ProjectShortName>
- `affected_version_extract_prefix` → "<ProjectShortName>"
Generated-by: Claude Code (Opus 4.8)
---
projects/_template/project.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/projects/_template/project.md b/projects/_template/project.md
index 1284a2a1..31ff1da3 100644
--- a/projects/_template/project.md
+++ b/projects/_template/project.md
@@ -711,15 +711,15 @@ scope_detection:
# Consumed by: security-issue-triage, generate-cve-json.
labels:
airflow:
- product: "Apache Airflow"
+ product: "<Product Name>"
packageName: "apache-airflow"
path_prefix: "^(airflow-core/|airflow/(?!providers/)|airflow-ctl/)"
providers:
- product: "Apache Airflow"
+ product: "<Product Name>"
packageName: "apache-airflow-providers-<provider>"
path_prefix: "^providers/"
chart:
- product: "Apache Airflow Helm Chart"
+ product: "<Secondary Product Name>"
packageName: "apache-airflow-helm-chart"
path_prefix: "^chart/"
```
@@ -834,7 +834,7 @@ product:
# Override when: any other project — replace with the canonical
# short name.
# Consumed by: generate-cve-json, canned-responses templating.
- name: Airflow
+ name: <ProjectShortName>
# Package name shape for the primary artifact — used by the
# advisory templating and the CVE JSON `affected[].packageName`.
@@ -877,7 +877,7 @@ product:
# Override when: any other product — the literal product token
# reporters use in version expressions.
# Consumed by: security-issue-sync, generate-cve-json.
- affected_version_extract_prefix: "Airflow"
+ affected_version_extract_prefix: "<ProjectShortName>"
```
## Pointers to sibling files
