refactor(skills): make the fix-released → REVIEW push atomic in security-issue-sync#767
Merged
Merged
Conversation
…deferrable The `pr merged → fix released` transition in security-issue-sync must regenerate + push the CVE JSON (allocated → review-ready) in the same apply pass as the label flip — never deferred to a later sync or a separate confirmation. A tracker labelled `fix released` whose CVE record is still DRAFT strands the release manager (gated on REVIEW) and silently stalls the advisory. - apply-and-push.md (Step 5b): add the atomicity rule and the single acceptable deferral (unavailable session → manual-paste hand-off + explicit "still DRAFT" blocker, never silent). - bulk-mode.md: clarify the CVE-affecting-bucket confirmation gate is for body-field content judgment only; the mechanical DRAFT→REVIEW state push rides the fix-released label-flip confirmation. Surfaced by the 2026-07-06 Apache Airflow sync, where 8 trackers advanced to `fix released` but their CVE records stayed DRAFT on Vulnogram until a separate manual push. Generated-by: Claude Code (Opus 4.8)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pr merged → fix releasedtransition insecurity-issue-syncatomic: confirming the label flip authorises the CVE-JSON regen + OAuth push (allocated → review-ready) + hand-off, all in the same apply pass.DRAFT → REVIEWstate push is not parked behind it.Motivation
Surfaced by the 2026-07-06 Apache Airflow security sync: 8 trackers were advanced to
fix releasedwhen Airflow 3.3.0 GA'd, but the CVE-JSON push was deferred, leaving all 8 records atDRAFTon Vulnogram. They only reachedREVIEWafter the operator asked for a separate push run. Because the RM hand-off is gated onREVIEW, the deferral silently stalls the advisory.Step 5b already prescribes that sync pushes the JSON mechanically; what was missing was an explicit statement that this is non-deferrable at
fix released, and that the bulk-mode CVE-affecting gate (a content-judgment gate) does not apply to the mechanical state push.Originating override:
.apache-magpie-overrides/security-issue-sync.mdin the adopter's Airflow security-tracker repo.Changes
skills/security-issue-sync/apply-and-push.md(Step 5b) — atomicity rule + single acceptable deferral.skills/security-issue-sync/bulk-mode.md— CVE-affecting-bucket scope clarification.Docs-only; no tooling/schema change, no config knob, no default changed — no migration for existing adopters.
Test plan
prek run --files …apply-and-push.md …bulk-mode.md— all hooks pass (markdownlint, typos, lychee, check-placeholders, skill-and-tool-validate).🤖 Generated with Claude Code