potiuk opened a new pull request, #386: URL: https://github.com/apache/airflow-steward/pull/386
## Summary Second of 5 PRs converting the security skill family from Airflow/ASF-coupled to a generic framework with ASF as the default-configured option. PR1 ([#381](https://github.com/apache/airflow-steward/pull/381)) landed the schema + adapter contracts with ASF defaults. **This PR lifts 6 skills to read those knobs** (and the existing sibling adopter-config files like `scope-labels.md`, `release-trains.md`, `fix-workflow.md`, `milestones.md`) instead of inlining ASF/Airflow values. **Byte-equivalent for the airflow-s adopter.** Every value the skill currently inlines either becomes a reference to a config knob whose ASF default matches today's inlined value, OR keeps the inlined airflow-s value as a single named example in generic prose. ## Per-skill lifts | Skill | Lines | What was lifted | |---|---|---| | `security-tracker-stats-dashboard` | +29/-8 | `default-config.yaml` annotated with cross-references to `scope_detection.labels` + `tracker.labels`; no literal default values changed | | `security-issue-deduplicate` | +26/-15 | Scope cross-merge rule + scope-check + milestone shapes + CVE-record URL → PR1 knobs | | `security-issue-import-from-md` | +18/-5 | `<security-list>` placeholder uses, body-field heading map → `tracker.body_fields`, label list → `tracker.labels`, scope rule → `scope_detection.labels` | | `security-issue-fix` | +78/-48 | Toolchain (`uv`/`breeze`/`prek`) → `<project-config>/fix-workflow.md`; package registries → `release_process.artifact_registries`; `apache/airflow` → `<upstream>`; `main` → `<default-branch>` | | `security-issue-triage` | +48/-27 | Scope-label triads → `scope_detection.labels`; canned-response examples reframed as airflow-s named examples; `@`-handle routing → roster references | | `security-issue-import-from-pr` | +85/-45 | Biggest lift. Project-board node IDs de-inlined; scope cascade → `scope_detection.labels`; `Apache Airflow:` title-prefix → `<vendor>: <product>:` derived from `project.md` | **Aggregate**: +280/-129 lines across 7 files. ## What is *not* in this PR - **No ASF-default adapter is touched.** `tools/vulnogram/`, `tools/ponymail/`, `tools/gmail/asf-relay.md` continue to be the only shipping adapters and continue to be referenced where they always have been. Those rename to `tools/cve-tool-vulnogram/` (PR4) and the forwarder-relay / mail-archive sub-tool extracts (PR3) come later. - **No skill outside the 6 above is touched.** Deep skills (`security-issue-sync`, `security-cve-allocate`, `security-issue-invalidate`, `security-issue-import`) are PR3/PR4 — they need the sub-tool extracts to land first. - **No new placeholders are introduced** beyond those declared in PR1's schema. Existing AGENTS.md placeholders (`<upstream>`, `<tracker>`, `<security-list>`, `<default-branch>`, etc.) are used per convention. ## Coming up - **PR3** — forwarder-relay + mail-archive sub-tools. Renames `tools/ponymail/` and the asf-relay shape as ASF-default adapters; updates `security-issue-import` (drop `ASF-security relay` row from generic body, push into optional sub-skill), `security-issue-invalidate` Step 5d, `security-issue-sync` Step 2b. - **PR4** — CVE-authority sub-tool extract (biggest). Renames `tools/vulnogram/` → `tools/cve-tool-vulnogram/`. Rewrites `security-cve-allocate`, `security-issue-sync` Steps 5b/5c (~600 lines), `security-issue-invalidate` Step 0, `security-issue-deduplicate`, `docs/security/process.md` Steps 12-14, `docs/security/roles.md` against the `<cve-tool>` placeholder + tool-agnostic state verbs (`allocated` → `review-ready` → `publish-ready` → `public`). - **PR5** — docs + final scrub. ## Test plan - [x] `uv run --project tools/skill-and-tool-validator skill-and-tool-validate` clean (1 pre-existing soft warning on an unrelated skill). - [x] `pytest` clean for the validator (218 tests). - [x] All pre-commit hooks pass (markdownlint, doctoc, typos, check-placeholders, etc.). - [ ] Spot-read the rendered diff on GitHub to confirm cross-references and the "airflow-s as named example" pattern reads well. - [ ] Confirm the airflow-s adopter still resolves every existing ASF behaviour without changes (byte-equivalence invariant — guarded by the fact that PR1's ASF defaults are byte-equivalent to the previously-hardcoded values). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
