Skip to content

refactor(skills): make the fix-released → REVIEW push atomic in security-issue-sync#767

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/fix-released-atomic-review-push
Jul 6, 2026
Merged

refactor(skills): make the fix-released → REVIEW push atomic in security-issue-sync#767
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/fix-released-atomic-review-push

Conversation

@potiuk

@potiuk potiuk commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

  • Makes the pr merged → fix released transition in security-issue-sync atomic: confirming the label flip authorises the CVE-JSON regen + OAuth push (allocated → review-ready) + hand-off, all in the same apply pass.
  • Clarifies that bulk-mode's CVE-affecting-bucket confirmation gate is for body-field content judgment only — the mechanical DRAFT → REVIEW state push is not parked behind it.
  • Defines the single acceptable deferral (unavailable authenticated session → manual-paste hand-off + an explicit "still DRAFT" blocker, never silent).

Motivation

Surfaced by the 2026-07-06 Apache Airflow security sync: 8 trackers were advanced to fix released when Airflow 3.3.0 GA'd, but the CVE-JSON push was deferred, leaving all 8 records at DRAFT on Vulnogram. They only reached REVIEW after the operator asked for a separate push run. Because the RM hand-off is gated on REVIEW, the deferral silently stalls the advisory.

Step 5b already prescribes that sync pushes the JSON mechanically; what was missing was an explicit statement that this is non-deferrable at fix released, and that the bulk-mode CVE-affecting gate (a content-judgment gate) does not apply to the mechanical state push.

Originating override: .apache-magpie-overrides/security-issue-sync.md in the adopter's Airflow security-tracker repo.

Changes

  • skills/security-issue-sync/apply-and-push.md (Step 5b) — atomicity rule + single acceptable deferral.
  • skills/security-issue-sync/bulk-mode.md — CVE-affecting-bucket scope clarification.

Docs-only; no tooling/schema change, no config knob, no default changed — no migration for existing adopters.

Test plan

  • prek run --files …apply-and-push.md …bulk-mode.md — all hooks pass (markdownlint, typos, lychee, check-placeholders, skill-and-tool-validate).
  • No new headings ⇒ doctoc TOCs unchanged.

🤖 Generated with Claude Code

…deferrable

The `pr merged → fix released` transition in security-issue-sync must
regenerate + push the CVE JSON (allocated → review-ready) in the same
apply pass as the label flip — never deferred to a later sync or a
separate confirmation. A tracker labelled `fix released` whose CVE
record is still DRAFT strands the release manager (gated on REVIEW)
and silently stalls the advisory.

- apply-and-push.md (Step 5b): add the atomicity rule and the single
  acceptable deferral (unavailable session → manual-paste hand-off +
  explicit "still DRAFT" blocker, never silent).
- bulk-mode.md: clarify the CVE-affecting-bucket confirmation gate is
  for body-field content judgment only; the mechanical DRAFT→REVIEW
  state push rides the fix-released label-flip confirmation.

Surfaced by the 2026-07-06 Apache Airflow sync, where 8 trackers
advanced to `fix released` but their CVE records stayed DRAFT on
Vulnogram until a separate manual push.

Generated-by: Claude Code (Opus 4.8)
@potiuk potiuk added family:security security-* skills capability:intake Import external signal + sync tracker state labels Jul 6, 2026
@potiuk potiuk merged commit 7bd8ce9 into apache:main Jul 6, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

capability:intake Import external signal + sync tracker state family:security security-* skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant