potiuk opened a new pull request, #360: URL: https://github.com/apache/airflow-steward/pull/360
## Summary The Vulnogram REVIEW state means "this CVE record is about to be published". For projects with a release-vote step before shipping the advisory (every ASF project), REVIEW only makes sense once an RC is being voted on — otherwise the generator keeps auto-advancing records to REVIEW any time the body changes, and reviewers have to push them back to DRAFT. This PR makes the DRAFT → REVIEW transition **opt-in gated** on a tracker label (`rc voting` by default, configurable). Non-ASF adopters that publish advisories without a separate release-vote step keep the original behaviour by default. ## Mechanics - New config switch `[workflow].release_vote_gating` (default `false` — preserves legacy behaviour for non-ASF adopters). - New config field `[workflow].rc_voting_label` (default `"rc voting"` — the label name to look for on the tracker). - `compute_cna_private_state` is now tri-state: `True` ⇒ REVIEW, `False` ⇒ DRAFT, `None` (default) ⇒ legacy "ready ⇒ REVIEW". - `fetch_issue` returns `(title, body, labels)` so `main` can read the label set without a second `gh` call. - Two CLI overrides: `--review` / `--draft` (mutually exclusive) for ad-hoc state nudging by a release manager. ## State machine after this change | Input | Output | |---|---| | Incomplete CNA | `DRAFT` | | Ready, gating off (default), no override | `REVIEW` (legacy) | | Ready, gating on, no label / no override | `DRAFT` | | Ready, gating on, label present (or `--review`) | `REVIEW` | | Ready + `vendor-advisory` reference | `PUBLIC` (unchanged; not gated by the vote signal) | ## Test plan - [x] 242 unit tests pass (`uv run pytest`). - [x] Coverage added for: default-off path, gating-on without label (DRAFT), gating-on with label (REVIEW), `--review` override, `--draft` override, mutually-exclusive flags, custom `rc_voting_label` from config. - [x] Existing tests still pass — the default code path is byte-identical when `release_vote_gating = false`. ## Out of scope (follow-up) Detecting active [VOTE] threads on `dev@<project>.apache.org` and proposing the `rc voting` label belongs in the `security-issue-sync` skill (which already has PonyMail / Gmail MCP context). This PR ships only the generator-side gating; the sync-skill change lands separately so the label stays human-confirmable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
