potiuk opened a new pull request, #248:
URL: https://github.com/apache/airflow-steward/pull/248
## Summary
Adds a new skill + tool pair, `security-tracker-stats-dashboard`, that
renders a self-contained HTML dashboard of `<tracker>` repository
statistics. Generalised from the in-tree airflow-s implementation
that has been driving the security team's monthly review cadence.
Output: line / area charts (no bars, `connectgaps: true`) covering
- **Lifecycle bands** (stacked) — `open_untriaged` / `open_triaged`
/ `open_pr_merged` / `fixed_released` / `closed_other`, evaluated
per-bucket via configurable predicates.
- **Backlog** — opened-in-bucket vs. untriaged-at-bucket-end.
- **Cumulative opened vs. closed**.
- **Mean time to triage** (hours).
- **Mean time to first response** (hours).
- **Mean time createdAt -> PR opened** (days, requires `<upstream>`).
- **Mean time PR-open -> PR-merged** (days, requires `<upstream>`).
- **Mean time PR-merged -> advisory announced** (days, requires
`<upstream>`).
Vertical annotations on every chart mark the project-configurable
milestones (e.g. "skill adoption", "team handover").
## Why it's useful
Steward adopters today don't have a built-in way to see how their
tracker is trending over time. The reference dashboard is what
gave the airflow-s team a clear "the new skill suite has cut median
time-to-triage from ~5d to <4h" data point, and it surfaced
backlog pressure that drove process tweaks. Making it
project-configurable means any adopter can get the same visibility
without re-implementing the data-plane.
The tool is read-only on GitHub. Both the slash-command path (the
skill) and the script path (`run.sh`) run the same fetch + render
pipeline.
## Config schema
```yaml
buckets: monthly # monthly | quarterly
start: null # null = first tracker createdAt
upstream_repo: apache/airflow # null -> omit PR charts
milestones: # vertical annotations
- date: 2026-04-20
label: skill adoption
scope_labels: [airflow, providers, chart]
categories: [...] # first-match-wins predicates
triage:
keywords: [...]
bot_prefixes: [...]
```
Load order (highest priority last):
1. `tools/security-tracker-stats-dashboard/default-config.yaml`.
2. `$TRACKER_STATS_CONFIG` overlay (deep-merged; lists REPLACED).
3. Env-var quick overrides: `TRACKER_STATS_BUCKETS`,
`TRACKER_STATS_START`, `TRACKER_STATS_UPSTREAM_REPO`.
Predicate keys: `state`, `state_reason`, `any_label`, `all_labels`,
`not_label`, `not_any_label`, `no_scope_label`, `has_scope_label`,
`pr_merged_by_snapshot`, plus `any_of` / `all_of` combinators.
Documented in `tools/security-tracker-stats-dashboard/README.md` and inline
in `default-config.yaml`.
## Defaults reproduce the airflow-s reference byte-for-byte
The shipped `default-config.yaml` reproduces the airflow-s
implementation exactly. With the same cache, the new renderer
emits a dashboard whose chart data series are identical to the
existing one (per-bucket counts, cumulative series, mean-time
values, etc.). Differences in the emitted HTML are limited to
variable rename (`months` -> `buckets`) and the title text.
## Files
```
tools/security-tracker-stats-dashboard/
├── README.md (overview + config schema)
├── default-config.yaml (framework defaults)
├── render.py (renderer; reads config)
├── fetch_issues.py
├── fetch_roster.py
├── fetch_bodies.py
├── fetch_events.py
├── fetch_prs.py
└── run.sh
.claude/skills/security-tracker-stats-dashboard/
└── SKILL.md (placeholder-convention header,
adopter-override + snapshot-drift
sections, prerequisites, inputs,
how-to-invoke, golden rules)
projects/_template/
└── security-tracker-stats.md (adopter template doc)
```
## Security family integration
The skill is named `security-tracker-stats-dashboard` and lives under
the `security-*` family prefix, so it joins the security-issue family
that adopters already opt into via the `families: security` lock-file
entry. No `setup-steward` changes are needed — `adopt` and `upgrade`
already pick up any `security-*` skill the snapshot ships.
Adopters' existing `.gitignore` pattern `/.claude/skills/security-*`
already excludes the symlink the snapshot creates, so no gitignore
edit is required either.
## Adopter migration note
Adopters who previously committed a local copy at
`<adopter-repo>/.claude/skills/security-tracker-stats-dashboard/` will,
after running `/setup-steward upgrade`, get the framework version
symlinked in. They should `git rm -r` the committed local copy in
favour of the symlink; the gitignore already excludes the resulting
dangling symlink. The airflow-s adopter has been verified to render
identically before and after the swap.
## Test plan
- [x] Refactored renderer reproduces the airflow-s reference
output's chart data series byte-for-byte.
- [x] `TRACKER_STATS_BUCKETS=quarterly` renders a valid quarterly
dashboard with 13 buckets (2023-Q2 through 2026-Q2).
- [x] `milestones: []` overlay removes all vertical lines.
- [x] `upstream_repo: null` overlay omits the three PR-driven
charts without crashing.
- [x] PyYAML-absent fallback parses `default-config.yaml`
correctly.
- [ ] Reviewer to sanity-check the SKILL.md against the
framework's other skill files for cross-link correctness.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
