potiuk opened a new pull request, #274:
URL: https://github.com/apache/airflow-steward/pull/274
## Summary
Recent `security-issue-sync` changes (#202, #222, #225, #255) shifted
Vulnogram `REVIEW -> PUBLIC`, JSON re-push, board move, and tracker close from
RM hand-clicks to sync automation. The reference docs still described the
pre-2026 flow; this PR brings them back in sync.
### Process reference (`docs/security/process.md`)
- **Step 12**: document the two-stage hand-off gate (six mandatory body
fields populated + CVE record state `REVIEW`) and the *Remediation-developer
fill-fields comment* that fires when either gate fails. RM hand-off comment now
only fires when both gates clear.
- **Step 13**: rewrite the RM checklist as three single-click Vulnogram
actions (`REVIEW -> READY`, send advisory, stop). Drop the stale "`REVIEW`
(then `READY`)" phrasing — `REVIEW` is set by sync.
- **Step 14**: rename to *Capture the public advisory URL and close out* and
enumerate the eleven actions of sync's combined apply at the archive-URL
trigger (URL capture, short-summary extraction, label flips, JSON re-push,
`READY -> PUBLIC` via OAuth API, board move, tracker close, board archive,
conditional milestone close, wrap-up comment).
- **Step 15**: collapse to *RM verifies the close-out landed* — the RM has
no remaining manual work, just receives a purely-informational timeline marker.
- Mermaid diagram, label-lifecycle state diagram, and label reference table
updated to match.
### Role guides (`docs/security/roles.md`)
- **Handoff from the remediation developer**: mention the fill-fields
comment they may receive when the six mandatory fields are incomplete.
- **Sending the advisory**: replace with the three-step Vulnogram clickflow
matching `process.md` Step 13.
- **Capturing the public archive URL and closing out**: list the sync-driven
combined apply.
- **Publishing the CVE and closing the issue**: now *Nothing to do*.
- **Tools you use most** (RM): drop stale Vulnogram-paste language.
### Family overview (`docs/security/README.md`)
- *Eight skills* → *Nine skills … plus one read-only supporting skill*.
- Split the skills table into **Lifecycle skills** (9) and **Supporting
tools** (1), adding `security-tracker-stats-dashboard` (added in #248).
## Test plan
- [x] `prek run --files docs/security/{README,process,roles}.md` — all hooks
pass (doctoc, markdownlint, typos).
- [ ] Render `process.md` on GitHub and confirm the Mermaid diagram renders.
- [ ] Spot-check anchor links in the updated TOCs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
