potiuk opened a new pull request, #278: URL: https://github.com/apache/airflow-steward/pull/278
## Summary When a tracker has no direct way to reach the original reporter — ASF-security-relay reports, read-only GitHub Private Reporting, AI scan markdown imports, anonymous tips — the skills now route reporter-facing communication through the **forwarder** (the security-team member or relay service that delivered the report). In that *via-forwarder mode*, only **important lifecycle milestones** are relayed. Regular workflow chatter and credit-acceptance confirmation messages are suppressed so the forwarder isn't pinged with low-signal updates that would burn their goodwill. ### New policy doc — `docs/security/forwarder-routing-policy.md` **Detection** (four cases): 1. ASF-security relay (sender = `[email protected]` with the forwarding preamble). 2. Read-only GitHub Private Reporting we have access to but can't reply on. 3. `security-issue-import-from-md`-imported trackers (no inbound reporter). 4. Explicit `<!-- apache-steward: routing-mode via-forwarder -->` marker comment. **Milestones — DO relay** (each carries a short body template referencing the external identifier, never re-stating technical detail): - Report accepted as valid - Report assessed as invalid - Advisory sent - Additional information requested **CVE allocated is out of scope** (own section): Vulnogram typically emits its own allocation notification, and the team owes the reporter (or forwarder) a single short notification here regardless of routing mode. Same draft body in both modes — no recipient swap, no suppression. **Negative space — DO NOT relay** (the *credit-acceptance confirmation* class): - Follow-up *\"please confirm we will credit you as X\"* chase-ups. - The standalone bot/AI credit-clarification draft. - Regular workflow status flips (pr created, pr merged, fix released). - Reviewer-comment relays, sync rollup notifications. The credit *question* itself (initial one-line ask folded into a milestone draft) is **not** suppressed — the forwarder might know or might relay it. The distinction: a *question* is cheap and one-shot; a *confirmation* demands a reply the forwarder can't supply. ### Skills wired in - `security-issue-import` Step 7 ASF-relay branch — canonical via-forwarder receipt-of-confirmation. - `security-issue-sync` reporter-draft section — direct / forwarder / suppress decision with a *\"skipped reporter draft\"* recap line for non-milestone events. - `security-issue-invalidate` Step 5d — re-framed as the *Report assessed as invalid* milestone. - `security-cve-allocate` Step 4 #5 — out-of-scope per policy; same draft body in both modes. - `tools/vulnogram/bot-credits-policy.md` — defers to the new policy; standalone clarification draft suppressed in via-forwarder mode but bot detection still runs. - `docs/security/README.md` + `roles.md` — link to the policy. ## Test plan - [x] `prek run` on all touched files — all hooks pass. - [ ] Next real ASF-relay import: verify Step 7 receipt folds the credit question in but doesn't open a standalone clarification draft. - [ ] Next sync against an ASF-relay tracker at `pr merged`: verify no forwarder draft is proposed (non-milestone) and the recap shows the skip note. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
