potiuk opened a new pull request, #361: URL: https://github.com/apache/airflow-steward/pull/361
## Summary Follow-up to **#360** (`generate-cve-json`: gate DRAFT → REVIEW on active release vote). #360 added the gating *mechanism* on the generator side — the configured `rc voting` tracker label is what makes `compute_cna_private_state` emit REVIEW instead of DRAFT. This PR teaches the sync skill **where the label comes from**: scan the project's dev mailing list for active `[VOTE]` threads and propose adding the label when one matches the tracker's fix-PR milestone. ## Mechanics All in `.claude/skills/security-issue-sync/SKILL.md`: - **New sub-step `1h. Detect active release-vote threads`.** Opt-in, gated on the same `[workflow].release_vote_gating` flag from #360. PonyMail is the primary read source (`dev@<project>.apache.org`, 21-day window, `[VOTE]` subject filter); Gmail is the fallback. Match the version in the vote subject against the tracker's fix-PR milestone. Only fires for trackers in the `pr merged` → `fix released` window. - **New row in the `1d` signal table** pointing at `1h`. - **New paragraph under the `2b` Labels bullet** covering the add / remove proposal shapes. The remove path piggy-backs on the existing `pr merged` → `fix released` transition (vote passed → release shipped → label historical). ## Hard rule preserved No auto-apply. The label is always a numbered proposal requiring user confirmation; the human read of *"yes, that vote is for our carrier release"* is the gate, since the label has real downstream effects on the embedded CVE JSON state. ## Out of scope (deliberate) Failed-vote detection. The heuristic is fragile (no canonical `[RESULT]` shape for failures, votes get re-cut as new RCs) and the manual re-add cost on the next vote is low. The team removes the label by hand when a vote fails. ## Test plan Markdown-only change to a skill file. Pre-commit validation (`skill-and-tool-validate`) passed locally. No functional tests added — skill behaviour is interactive and the agent applies the new sub-step on the next sync run. ## Adopter rollout This PR ships only the skill change. Each adopter that wants the gating enables it independently by: 1. Setting `[workflow].release_vote_gating = true` in their `cve-json-config.toml`. 2. (Optional) overriding the default label name via `[workflow].rc_voting_label = "..."`. 3. (Optional) overriding the dev-list address via `[workflow].release_vote_list = "..."` when the project's release-vote list is non-standard. For Airflow specifically, the rollout follow-up is to flip the flag in `airflow-s/.apache-steward-overrides/tools/vulnogram/cve-json-config.toml` once **#360** lands. Separate PR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
