[PR] feat(security-issue-triage): new skill for initial-triage discussions [airflow-steward]

Sun, 10 May 2026 19:07:11 -0700 


potiuk opened a new pull request, #113:
URL: https://github.com/apache/airflow-steward/pull/113

   ## Summary
   
   - Adds the `security-issue-triage` skill — the initial-triage 
discussion-starter for `<tracker>` issues still in `Needs triage`. Reads body + 
comments, applies Security Model framing, proposes one of five disposition 
classes (VALID / DEFENSE-IN-DEPTH / INFO-ONLY / NOT-CVE-WORTHY / PROBABLE-DUP), 
and — on user confirmation — posts a standalone top-level comment that invites 
the security team to react.
   - **Read-only on tracker state.** No label flips, no closes, no body 
PATCHes, no project-board moves, no CVE allocations. The valid/invalid decision 
belongs to team consensus; this skill opens the discussion that produces it.
   - Composes with the existing skill family:
     - `security-issue-import` (the on-ramp that creates `Needs triage` 
trackers)
     - `security-cve-allocate` / `security-issue-invalidate` / 
`security-issue-deduplicate` (invoked by hand after team consensus on the 
proposed disposition)
     - `security-issue-sync` (applies the label flip + rollup entry 
post-consensus)
   - Bulk mode for N > 5 trackers uses the same subagent-fanout pattern as 
`security-issue-sync`.
   - Adopter-specific configuration via `<project-config>/release-trains.md` 
(security-team roster for `@`-mention routing), 
`<project-config>/scope-labels.md` (scope-based routing), and 
`<project-config>/project.md` (per-project routing rules).
   
   ## Test plan
   
   - [ ] The skill file passes lychee + doctoc + markdownlint via prek.
   - [ ] The heading shape matches sibling skills in 
`.claude/skills/security-issue-*` so the available-skills list parses the 
description cleanly.
   - [ ] An end-to-end test against a tracker known to fit each of the 5 
classes produces a coherent proposal comment.
   
   ## Origin
   
   Captures the manual workflow run during the 2026-05-11 triage sweep across 9 
untriaged trackers in 
[`airflow-s/airflow-s`](https://github.com/airflow-s/airflow-s) (proposals at 
#373, #375, #376, #393, #395-#399). The skill formalises the patterns we 
converged on during that sweep.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to