The GitHub Actions job "tests" on airflow-steward.git/sync-auto-publish-lifecycle has succeeded. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: c3de5e3fc458015e641827b35f22764a4036ca6b / Jarek Potiuk <[email protected]> feat(security-issue-sync): RM handoff — no shell commands; sync drives full post-advisory close-out Reshape the release-manager hand-off contract so the RM's surface is **Vulnogram-UI clicks, reviewer-thread responses, and the advisory send** — nothing else. Three coupled changes: 1) **Drop `uv run` invocations from RM-facing instructions** in both hand-off templates. The CVE-record API push (and any re-push triggered by a body change) is run by the security team during sync via `vulnogram-api-record-update`, not by the RM. Even in the manual-paste fallback variant, the RM only pastes JSON in the `#source` UI; the API tooling is not exposed. 2) **Sync drives the entire post-advisory lifecycle close-out.** On the next sync run after the advisory lands in the users-list archive, the skill — in a single combined apply triggered by the archive-URL signal — captures the URL into the *Public advisory URL* body field, **extracts the public-facing short summary from the advisory email body** and writes it back to the *Short public summary for publish* body field, flips the tracker labels (`fix released → announced - emails sent + announced`), regenerates and re-pushes the CVE JSON, **moves the Vulnogram record `REVIEW → PUBLIC` via the OAuth API** (formerly a manual Step-15 click; now driven by sync since the archive URL is the real-world signal that the advisory has actually shipped), moves the project board to the `Announced` column, and closes the tracker. 3) **Sync posts a conditional wrap-up comment** tagging the RM with the residual manual steps: archive the now-closed tracker from the `Announced` column, and — **only if every sibling on the tracker's milestone is also closed at that moment** — close the milestone via the URL the comment carries. The conditional close-milestone line means the RM never has to check sibling state by hand; the milestone close happens when the *last* sibling tracker reaches this step. The previous framing of `REVIEW → PUBLIC` as "intentionally human-only" is reversed. The gate is now "published archive URL captured", which collapses RM workflow to a small handful of clicks and one reviewer-thread response. Documentation changes in this commit: - tools/vulnogram/release-manager-handoff-comment-oauth-pushed.md fully rewritten: 7 RM-facing steps, no `uv run` blocks, Step 6 documents the auto-publish flow, Step 7 follows the wrap-up comment. - tools/vulnogram/release-manager-handoff-comment.md (manual-paste variant) reworked to match the same 7-step RM-facing shape with paste-into-#source-UI as the fallback when OAuth is unavailable. Still no `uv run` invocations RM-facing. - .claude/skills/security-issue-sync/SKILL.md — Step 2b's advisory-archive row rewritten as the combined-apply trigger; lifecycle-states table updated to reflect the collapsed 14 → 15 transition. Implementation TBD as a follow-up: a `vulnogram-api-publish` tool (REVIEW → PUBLIC via OAuth API), sync code to extract short summary from the archived email body, label-flip + tracker-close + wrap-up- comment composition. The convention documented here is the target; the implementation will follow in a separate PR. Worked examples landed today on airflow-s/airflow-s as the adopter- side dry-run of the convention: - airflow-s/airflow-s#295 (CVE-2026-27173) - airflow-s/airflow-s#355 (CVE-2026-42526) The adopter override codifying the same convention is at airflow-s/airflow-s .apache-steward-overrides/security-issue-sync.md (landed via airflow-s PRs #427, #428, #429 today). When this upstream PR + the implementation follow-up land, the override becomes redundant and can be removed via /setup-override-upstream. Report URL: https://github.com/apache/airflow-steward/actions/runs/26064202715 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
