This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 54514a7 skills/security-cve-allocate: trim frontmatter to fit
metadata budget (#124)
54514a7 is described below
commit 54514a7d01d0d371aad097c0ed65bd88e12918f0
Author: Yeonguk Choo <[email protected]>
AuthorDate: Tue May 12 03:49:41 2026 +0900
skills/security-cve-allocate: trim frontmatter to fit metadata budget (#124)
The frontmatter for security-cve-allocate was carrying body content —
the full title-cleanup spec (vendor/product prefix, `[ Security Report ]`
banner, trailing version parens), the non-PMC relay rule, the exact
`generate-cve-json --attach` invocation, and the security-issue-sync
post-conditions (milestone / assignee / reporter drafts / fix-PR state).
Trims description + when_to_use from 1,197 → 813 chars (margin 339 → 723).
Keeps the routing-relevant artefact names verbatim (ASF Vulnogram URL,
*CVE tool link* field, `cve allocated` label, paste-ready CVE JSON,
`security-issue-sync` handoff) and a `(PMC-gated)` flag for the
non-PMC relay distinction.
Every literal trigger phrase from the original when_to_use is preserved
verbatim. Routing recall does not regress.
Tracking: #118
---
.claude/skills/security-cve-allocate/SKILL.md | 32 ++++++++++++---------------
1 file changed, 14 insertions(+), 18 deletions(-)
diff --git a/.claude/skills/security-cve-allocate/SKILL.md
b/.claude/skills/security-cve-allocate/SKILL.md
index bbd7e44..6ca2171 100644
--- a/.claude/skills/security-cve-allocate/SKILL.md
+++ b/.claude/skills/security-cve-allocate/SKILL.md
@@ -3,25 +3,21 @@ name: security-cve-allocate
mode: Triage
description: |
Walk a security team member through allocating a CVE for an
- <tracker> tracking issue. Prints the ASF Vulnogram
- allocation URL and a CVE-ready title (the issue title stripped of
- redundant `<vendor>: <product>:` (e.g. `Apache Airflow:`), `[ Security
Report ]`, trailing
- version parens and similar noise), waits for the allocated CVE ID
- (allocation is PMC-gated — non-PMC triagers relay to a PMC
- member), and then updates the tracker in place: fills in the
- *CVE tool link* field, adds the `cve allocated` label, posts a
- collapsed status-change comment, and runs `generate-cve-json
- --attach` to embed the paste-ready JSON in the body. Finishes by
- handing off to the `security-issue-sync` skill to reconcile the
- rest of the tracker (milestone, assignee, reporter drafts, fix-PR
- state) now that the CVE landing is complete.
+ `<tracker>` tracking issue (PMC-gated). Prints the ASF
+ Vulnogram allocation URL and a CVE-ready title, waits for
+ the allocated CVE ID, then updates the tracker in place:
+ fills in the *CVE tool link* field, adds the `cve allocated`
+ label, posts a status-change comment, and embeds the
+ paste-ready CVE JSON in the body. Hands off to
+ `security-issue-sync` to reconcile the rest of the tracker.
when_to_use: |
- Invoke when a security team member says "allocate a CVE for NNN",
- "open the ASF CVE tool for NNN", "time to allocate NNN" — typically
- after the tracker has been assessed and the team has agreed the
- report is valid (process step 6). Not appropriate before the
- valid/invalid decision has been landed, nor for trackers that
- already carry a CVE ID in their *CVE tool link* body field.
+ Invoke when a security team member says "allocate a CVE for
+ NNN", "open the ASF CVE tool for NNN", "time to allocate
+ NNN" — typically after the tracker has been assessed and the
+ team has agreed the report is valid (process step 6). Skip
+ before the valid/invalid decision has landed, or for
+ trackers that already carry a CVE ID in their *CVE tool
+ link* body field.
argument-hint: "[issue-number] [CVE-YYYY-NNNNN]"
license: Apache-2.0
---
