potiuk opened a new pull request, #151: URL: https://github.com/apache/airflow-steward/pull/151
## Summary Changes the standard candidate-listing exclusions in `security-issue-import` Step 1 so that GHSA-relayed reports (which arrive via `[email protected]` with subjects of the form `[<upstream>] ... (GHSA-...)`) are no longer indiscriminately filtered out together with the tracker-mirror notifications. Adjusts the canonical query template in `tools/gmail/search-queries.md` to match. ## Motivation In a 2026-05-14 import sweep against `airflow-s/airflow-s`, four GHSA-relayed reports from Lokhesh Ujhoodha (`[email protected]`, GitHub `@Lougarou`) were missed by the default 14-day candidate query because the standard exclusion `-from:[email protected]` dropped them along with the GitHub mirror chatter. The reporter had been told by ASF Security to split his consolidated report into separate GHSAs and had complied — but the resulting GHSA-notification threads weren't surfaced as candidates. The fix is a more nuanced exclusion: drop only the tracker-mirror noreply addresses (which have stable, distinct sender domains like `<tracker-repo>@noreply.github.com`) and keep `[email protected]`. Tracker mirror chatter is then caught at Step 2 (threadId dedup against the tracker repo body field) — which is the correct dedup layer for the mirror case. ## Adopter follow-up Adopters must update their project's mirror-sender declarations in `<project-config>/project.md` to remove the blanket `-from:[email protected]` line and keep only the dedicated `<tracker-repo>@noreply.github.com` mirror sender. For `airflow-s`: drop the line from `.apache-steward-overrides/project.md`. ## Test plan - [ ] Re-run `/security-issue-import import last 30d` against `airflow-s/airflow-s` (after the adopter follow-up lands) and confirm the 4 GHSA threads (`19e167aefdba1213`, `19e167cfa9c2acef`, `19e167da9bbff594`, `19e167e6a6eb9b03`) surface as candidates. - [ ] Confirm that GitHub-mirror chatter on existing trackers (e.g. the `[airflow-s/airflow-s] Issue #NNN` notifications) is still correctly dropped by Step 2 threadId dedup. - [ ] Step 2-bis (already-answered-on-thread) should NOT misfire on GHSA threads (the "team-member replied with canned response" detection looks for project team members, not GitHub automation; GHSA replies come from `[email protected]` which isn't on the roster, so Step 2-bis doesn't trigger). 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
