potiuk opened a new pull request, #276: URL: https://github.com/apache/airflow-steward/pull/276
## Summary Adds a bot/AI credit policy that fires at every site where the security skill suite auto-extracts a finder or remediation-developer credit. When the candidate matches the policy, the skills now skip the credit by default, surface the skip with the matched rule, and — on email-backed trackers — propose a Gmail draft asking the reporter whether the bot/AI handle is the intended attribution or whether a human behind it should be credited instead. ### New shared policy **`tools/vulnogram/bot-credits-policy.md`** — single source of truth. Detection covers: - GitHub `[bot]` suffix (`dependabot[bot]`, `renovate[bot]`, `github-actions[bot]`, ...) - Known-bot / automation-name list: `dependabot`, `renovate`, `snyk`, `copilot`, `github-actions`, `mend`, `mergify`, `claude`, `chatgpt`, `gpt`, `openai`, `anthropic`, `automated`, `automation`, `scanner`, `sast`, `dast`, ... - Suffix patterns: `*-bot`, `*-ai`, `*-agent`, `*-gpt`, `*scanner*`, `*automat*` - Service email senders: `noreply`, `no-reply`, `donotreply`, `security-alerts@`, `notifications@` Default behaviour: skip silently in the data flow + surface the skip with which rule fired + honour explicit per-tracker overrides (*\"credit X anyway\"*) + propose a clarification Gmail draft when an inbound reporter thread exists. ### Skills updated to apply the policy - **`security-issue-import`** — `Reporter credited as` (`From:`-header extraction) + ASF-relay `Credit:`-line extraction. Clarification draft folded into the Step 7 receipt-of-confirmation reply. - **`security-issue-import-from-pr`** — `Remediation developer` (PR author). No clarification draft (no inbound reporter). - **`security-issue-import-from-md`** — finder name from markdown metadata. No clarification draft. - **`security-issue-sync`** — reporter-reply credit-mining (with clarification draft) + PR-author auto-append for *Remediation developer*. - **`security-issue-deduplicate`** — credit-line consolidation between two trackers; clarification draft on the drop tracker's reporter thread if one exists. ### Generator stays neutral **`generate-cve-json/SKILL.md`** gains a short note: the filter lives upstream in the skills, not in the generator. This means an intentional human override (typed directly into the body field) survives every JSON regeneration without needing a bypass flag. ## Test plan - [x] `prek run` — all hooks pass (doctoc regen, markdownlint, typos, skill-validate). - [ ] On next real `security-issue-import-from-pr` invocation with a `dependabot[bot]` PR: verify the skill skips the *Remediation developer* field and surfaces *\"skipped credit: dependabot[bot] (matches bot policy — ends with [bot])\"* in the proposal. - [ ] On next real `security-issue-sync` pass against a tracker whose reporter requested credit as e.g. *\"claude-bot\"*: verify the skill skips the credit and proposes a clarification Gmail draft. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
