potiuk opened a new pull request, #548: URL: https://github.com/apache/airflow-steward/pull/548
## What & why Reports rejected on the security list with a canned reply but **without creating a tracker** were invisible to the stats dashboard — their only audit trail was the mail thread + the `canned-responses.md` precedent. This adds a lightweight, GitHub-native way to record and count them. ## Mechanism A single dedicated **ledger issue** in the tracker repo, identified by the `rejections-ledger` label (deliberately **not** the `security issue` marker, so it's excluded from the board and from tracker stats). Each rejection is one comment: ``` <!-- rejection v1 --> date: YYYY-MM-DD reporter: <email/name> canned: <canned-response-slug> thread: <url-or-threadid> summary: <one line> ``` A one-time historical backfill is recorded as `<!-- rejection-backfill v1 count: N -->`. ## Changes - **`skills/security-issue-import`** — on every reject-without-tracker disposition (`skip NN`+canned, `reject-with-canned`, `reject-with-public-fix`, confirmed `automated-scanner` / `consolidated-multi-issue` / `media-request`), append a rejection comment to the ledger issue. Never creates a tracker. Excludes `spam` / `cve-tool-bookkeeping`, and excludes `security-issue-invalidate` (those are tracked closes, already counted — no double-count). - **`tools/security-tracker-stats-dashboard/render.py`** — parse the ledger issue's comments (dated markers bucketed on the monthly/quarterly axis + the backfill as a "historical (pre-ledger)" lump), add a "rejected (no tracker)" headline + chart, and exclude the ledger issue from all tracker classification/counts. New `rejections_ledger_label` knob (default `rejections-ledger`; `null` disables). No new fetch script — `fetch_issues.py` already pulls comments. - **`skills/security-issue-sync/bulk-mode.md`** — drop `rejections-ledger` issues from set-valued selectors (`sync all`, etc.) so the ledger is never dispatched a sync subagent. - **docs/templates** — README + `projects/_template/project.md` + `security-tracker-stats.md` document the convention and the knob. ## Testing Rendered against a real adopter cache: the ledger issue is excluded from tracker counts (total unchanged at 261), the backfill is counted in the headline + banner, dated markers bucket correctly (verified on synthetic data), and the stat degrades gracefully when the label is `null` or no ledger issue exists. `prek` green (doctoc / markdownlint / typos / placeholders / skill-and-tool-validate). 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
