[PR] feat(security): assign the signed-up owner / PR author on the board — when syncing an issue or running a fix [airflow-steward]

Mon, 01 Jun 2026 18:16:01 -0700 


potiuk opened a new pull request, #434:
URL: https://github.com/apache/airflow-steward/pull/434

   ## What & why
   
   Make assignee/board ownership a **consistent rule** applied both when
   **syncing an issue** and when **running a fix**: a person who **signed
   up** to own the issue, or who **authored the fix PR**, gets assigned on
   the board — *if they are part of the project*.
   
   The PR-author → assignee path already existed in `security-issue-sync`;
   this fills the two gaps (the sign-up case, and the fix flow).
   
   ## Changes
   
   **`security-issue-sync` (the sync side)**
   - **`gather.md` Step 1d** — detect the *volunteer-owner* signal (a
     comment volunteering to take the issue).
   - **`signals-to-actions.md` Assignees** — new **sign-up branch** with
     the project-member gate, PR-author precedence, and no-override
     idempotency. This is the single source of truth for the rule.
   
   **`security-issue-fix` (the fix side)**
   - **Step 10** — explicit step to assign the tracking issue to the fix
     owner (remediation developer / PR author, or a signed-up volunteer)
     once the PR exists, **reading the same rule** from
     `security-issue-sync/signals-to-actions.md`.
   
   **Common gate (both):** assign only when the person is a security-team
   roster member or `<tracker>` collaborator — a non-member can't see the
   private tracker and GitHub silently drops the assignee write, so they're
   recorded + surfaced (*"…volunteered but is not a collaborator — invite
   them first?"*) and never auto-assigned. Existing assignees are never
   overridden; the release-manager hand-off stays at the `fix released`
   transition.
   
   `issue-fix-workflow` is intentionally left untouched — by contract it
   does not write to the tracker or self-assign.
   
   All changes stay propose-before-apply behind the `gh` confirmation gate.
   
   ## Testing
   
   `pre-commit` full suite green (skill-and-tool validator incl. capability
   sync, placeholder linter, markdownlint); lychee clean (only the standard
   `<project-config>` placeholder exclusions).
   
   Generated-by: Claude Code (Opus 4.8)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to