potiuk opened a new pull request, #381:
URL: https://github.com/apache/airflow-steward/pull/381
## Summary
First of 5 PRs converting the security skill family from
Airflow/ASF-coupled to a generic framework with ASF as the
default-configured option.
**This PR is pure additions — zero behaviour change.** Every
existing ASF assumption gets a config knob with the current
behaviour as the default, so the airflow-s reference adopter is
byte-equivalent to today.
## Scope
Based on a discovery audit (179 findings across 18 files) that
catalogued every ASF/Airflow hardcoded assumption in the security
skill family and grouped them into 11 dimensions: cve_authority,
governance, security_inbox, forwarders, mail_provider,
archive_system, tracker, scope_detection, release_process, roster,
product.
## Files
- **`projects/_template/project.md`** — new *Security workflow
configuration* section with 11 YAML blocks. Every field carries
a comment naming what it controls, the ASF default, when a
non-ASF adopter would override it, and the 1-3 skills that
consume it.
- **`tools/cve-tool/README.md`** — adapter contract for CNA
backends. Defines the interface every CVE-authority adapter must
implement (`allocate`, `fetch_current_state`, `push_update`,
`publish`, `retract`) plus a generic state-verb mapping
(`allocated` → `review-ready` → `publish-ready` → `public`).
ASF-default adapter: `tools/vulnogram/` (renamed to
`tools/cve-tool-vulnogram/` in PR4).
- **`tools/mail-archive/README.md`** — adapter contract for
public mail-archive backends. Defines `search_thread_url`,
`fetch_thread_by_url`, `list_recent_threads`,
`publication_signal_url`. ASF-default adapter: `tools/ponymail/`
(renamed in PR3).
- **`tools/forwarder-relay/README.md`** — adapter contract for
forwarder-relay inbound paths. Defines `detect`,
`extract_credit`, `contact_handle`, `preamble_match`,
`reporter_addressing_block`. ASF-default adapter: the ASF
Security forwarder shape in `tools/gmail/asf-relay.md`
(renamed in PR3).
- **`docs/labels-and-capabilities.md`** — 3 new rows for the new
tool stubs (all `capability:setup`, pure interface specs).
## What is *not* in this PR
- No skill body changes.
- No tool implementations renamed.
- No ASF-default adapter changes — `tools/vulnogram/`,
`tools/ponymail/`, `tools/gmail/asf-relay.md` continue to be
the only shipping adapters and continue to be referenced where
they always have been.
Skills will be lifted to read these knobs in PR2–PR5.
## Coming up
- **PR2** — trivial config-driven lifts: `security-tracker-stats-dashboard`,
`security-issue-fix`, `security-issue-deduplicate`,
`security-issue-import-from-md`, `security-issue-triage`,
`security-issue-import-from-pr`.
- **PR3** — forwarder + archive sub-tools: rename
`tools/ponymail/` and `tools/gmail/asf-relay.md` as ASF-default
adapters; update `security-issue-import` (drop `ASF-security
relay` row from generic body, push into optional sub-skill),
`security-issue-invalidate` (Step 5d), `security-issue-sync`
Step 2b.
- **PR4** — CVE-authority sub-tool extract: biggest of the five.
Rename `tools/vulnogram/` → `tools/cve-tool-vulnogram/`.
Rewrite `security-cve-allocate`, `security-issue-sync` (Steps
5b/5c — the 600-line section), `security-issue-invalidate`
Step 0, `security-issue-deduplicate`,
`docs/security/process.md` Steps 12-14, `docs/security/roles.md`
against the `<cve-tool>` placeholder and tool-agnostic state
verbs.
- **PR5** — docs + final scrub: `docs/security/threat-model.md`,
`forwarder-routing-policy.md`, `how-to-fix-a-security-issue.md`,
`new-members-onboarding.md`; delete remaining literal
`@potiuk` / `@raboof` / `Apache Airflow` / `airflow |
providers | chart` from skill bodies and templates.
## Test plan
- [x] `uv run --project tools/skill-and-tool-validator
skill-and-tool-validate`
clean (1 pre-existing soft warning on an unrelated skill).
- [x] `pytest` clean for the validator (218 tests).
- [x] All pre-commit hooks pass (markdownlint, doctoc, typos,
check-placeholders, etc.).
- [ ] Spot-read the rendered project.md on GitHub and confirm
table formatting / YAML-block rendering looks right.
- [ ] Confirm the airflow-s adopter still resolves every existing
ASF behaviour without changes (byte-equivalence invariant).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
