feat(release-manager-handoff): explicit hand-off + publication-ready comments#10
Merged
Merged
Conversation
…comments
Adds two new first-class comments the sync-security-issue skill posts
on the tracker as the issue moves through the release-manager half of
the lifecycle (Steps 12-15), instead of folding the call-to-action into
the catch-all status rollup. The rollup is the security team's audit
trail and accumulates many small entries; the RM-facing comments are
one-shot orientation surfaces with their own dated context and working
@-mention notifications.
Comment 1 — Release-manager hand-off (Step 12 trigger). Fires exactly
once at the `pr merged` -> `fix released` swap, walks the RM through
Steps 13-15 end-to-end without forcing them to consult external docs.
Lives in tools/<cve-tool>/release-manager-handoff-comment.md as a
parameterised template; sync substitutes CVE_ID, RM_HANDLE, the
Vulnogram #source / #email tab URLs, the embedded-JSON anchor, the
public archive scan URL, and absolute github.com URLs into the
framework. Idempotent via an HTML marker on line 1.
Comment 2 — Publication-ready notification (Step 14 trigger). Fires
exactly once when the *Public advisory URL* body field is populated and
the CVE JSON has been regenerated to include the archive URL. Tells the
RM the final paste + READY -> PUBLIC + close is now unblocked.
Tool-specific Vulnogram details (record state machine, paste flow,
email-preview tab) live under tools/vulnogram/; generic workflow
(when each comment fires, idempotency, apply mechanic) lives in the
sync skill spec and the framework README.
Other lifecycle clarifications:
- READY state added to tools/vulnogram/record.md (between REVIEW and
PUBLIC); the README always referenced it but the tool doc didn't.
- Vulnogram #email tab documented as a load-bearing email-preview
checkpoint before the advisory-send step.
- Step 4 close recipe updated to follow `gh issue close` with an
`archiveProjectV2Item` mutation on every close (terminal or
non-terminal); the recipe lives in tools/github/project-board.md
("Archive a board item — terminal-state cleanup"), idempotent
on already-archived items.
No changes to the existing skill behaviour at `cve allocated` —
the hand-off comment deliberately fires only after release ships
(the user-facing flow before that is handled by existing rollup
status entries).
Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
5 tasks
potiuk
added a commit
that referenced
this pull request
May 30, 2026
Fifth and final PR of the security genericization series. Lifts the remaining 4 docs in docs/security/ to read config knobs from projects/_template/project.md and the contract docs from PR1-PR4 (cve_authority.*, governance.*, security_inbox.*, forwarders.*, archive_system.*, scope_detection.*). Plus a final scrub of 4 skills for leftover ASF/Vulnogram literals. Byte-equivalent for the airflow-s adopter: every ASF/Airflow/ Vulnogram-specific value either resolves through a config knob whose ASF default matches today's behaviour, OR stays as one named-example aside in generic prose. Per-target lifts: - docs/security/threat-model.md (+107/-77) — Purpose/Scope/ Assumptions reframed from "ASF"/"PMC" to governance-knob terms. STRIDE matrix rows A.6/A.7/C.1-C.4/E.1-E.2 lifted: Vulnogram -> <cve-tool>; security@apache.org -> <security-list>; DRAFT/REVIEW/READY/PUBLIC -> cve_authority.states sequence (allocated -> review-ready -> publish-ready -> public). Mitigations M.10/M.16/M.18/M.19/M.27 + residual risks #3/#8/#10/#11 + re-audit cadence ownership generalised. - docs/security/forwarder-routing-policy.md (+42/-27) — references the optional security-issue-import-via-forwarder sub-skill from PR3 (#387) and the tools/forwarder-relay/README.md contract. Replaces "ASF-security relay" / "security@apache.org" with forwarders.enabled / <security-list> / foundation_security_address. ASF-Airflow shown as a named-example aside per concept. - docs/security/how-to-fix-a-security-issue.md (+20/-8) — "governance-authorised member of the adopting project (per governance.cve_allocation_gate)" replaces "PMC member of apache/airflow"; <cve-tool> + cve_authority.* replaces Vulnogram- specific URLs and state names; archive_system.advisory_publication_signal_url replaces the lists.apache.org users-list URL. - docs/security/new-members-onboarding.md (+26/-13) — onboarding- style register preserved. "PMC members and committers" reframed as "governance body that satisfies governance.cve_allocation_gate"; per-user-config "PMC status" steps reference the governance knob; Vulnogram steps reference <cve-tool> via cve_authority.record_url_template. - Final scrub of 4 skills (+17/-15 net): security-issue-import, security-issue-import-via-forwarder, security-issue-invalidate, security-issue-fix — leftover literal references caught and lifted to roster.bare_name_handles / governance.escalation_contact / forwarders.<adapter>.contact_handle. Aggregate: 8 files, +240/-156 lines. That closes the series. Five PRs (#381, #386, #387, #388, this) transitioned the security skill family from Airflow/ASF-coupled to a generic framework with ASF as the default-configured option. The airflow-s adopter, with the ASF defaults baked into project.md, sees byte-equivalent behaviour throughout. Non-ASF adopters override specific dimensions (CVE authority, mail provider, archive system, governance gate, scope axis) by changing only their <project-config>/ files. Generated-by: Claude Code (Opus 4.7)
justinmclean
added a commit
to justinmclean/airflow-steward
that referenced
this pull request
Jun 20, 2026
… known gap Add the missing [dependency-groups] dev section to tools/skill-and-tool-validator/pyproject.toml so that the spec's validation command (uv run --project ... --group dev pytest) works. The validate_asf_coupling check (SOFT check apache#10), its patterns, and the full TestValidateAsfCoupling test class were already present in the source; 258 tests pass, and skill-and-tool-validate surfaces 86 advisory asf-coupling warnings on the live repo with no hard failures. Update specs/project-agnosticism.md Known-gaps to replace "No automated ASF-coupling lint exists" with the current state: the lint is live and advisory, and the remaining work is acting on the flagged coupling hits. Generated-by: Claude (Opus 4.7)
15 tasks
potiuk
pushed a commit
that referenced
this pull request
Jun 27, 2026
… known gap (#538) * lint to make sure skills are ASF-agnostic * feat(validator): add dev dependency-group and close asf-coupling-lint known gap Add the missing [dependency-groups] dev section to tools/skill-and-tool-validator/pyproject.toml so that the spec's validation command (uv run --project ... --group dev pytest) works. The validate_asf_coupling check (SOFT check #10), its patterns, and the full TestValidateAsfCoupling test class were already present in the source; 258 tests pass, and skill-and-tool-validate surfaces 86 advisory asf-coupling warnings on the live repo with no hard failures. Update specs/project-agnosticism.md Known-gaps to replace "No automated ASF-coupling lint exists" with the current state: the lint is live and advisory, and the remaining work is acting on the flagged coupling hits. Generated-by: Claude (Opus 4.7)
15 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new first-class comments the
sync-security-issueskill postson the tracker as the issue moves through the release-manager half of
the lifecycle (Steps 12-15), instead of folding the call-to-action into
the catch-all status rollup.
The rollup is the security team's audit trail and accumulates many
small entries collapsed into
<details>blocks; the RM-facingcomments are one-shot orientation surfaces with their own dated
context and working
@-mention notifications. A drive-by RM should beable to drive Steps 13-15 from two comments on the issue page without
consulting the rollup or external docs.
What's added
Comment 1 — Release-manager hand-off (Step 12 trigger)
Fires exactly once at the
pr merged→fix releasedswap. Walksthe RM through Steps 13-15 end-to-end with a numbered checklist:
first paste → REVIEW → (rare conditional re-paste after CNA reviewer
comments) → READY → email preview on the
#emailtab (newload-bearing checkpoint, see below) → send advisory → wait for
publication-ready notification → second paste → PUBLIC → close.
Template body:
tools/vulnogram/release-manager-handoff-comment.md.Idempotent via the marker
<!-- apache-steward: release-manager-handoff v1 -->on line 1.
Comment 2 — Publication-ready notification (Step 14 trigger)
Fires exactly once when the Public advisory URL body field is
populated by sync (the existing Step 14 transition). Tells the RM
the URL has been captured, the JSON has been regenerated to include
it as a
vendor-advisoryreference, and the final paste +READY→
PUBLIC+ close is now unblocked.Template body:
tools/vulnogram/release-manager-publication-comment.md.Idempotent via
<!-- apache-steward: release-manager-publication-ready v1 -->.Architectural split (tool-specific vs generic)
The user's request was "do it in the way that 'tool' specific part is
done in the tool part in apache-steward submodule and generic workflow
is explained in generic part of it". Concretely:
DRAFT/REVIEW/READY/PUBLIC) + paste flow +#emailpreview tabtools/vulnogram/record.mdtools/vulnogram/record.md— Release-manager checklisttools/vulnogram/release-manager-handoff-comment.md,release-manager-publication-comment.md.claude/skills/sync-security-issue/SKILL.md(Step 2b + Step 4)README.md— Steps 12-15The skill loads the comment template by resolving
tools/<cve-tool>/release-manager-{handoff,publication}-comment.mdbased on the project's
cve_toolsetting in<project-config>/project.md,so a project that swaps Vulnogram for a different CVE tool only needs
to provide its own template files (no skill changes).
Other lifecycle clarifications
READYstate added totools/vulnogram/record.md.The framework
README.mdalways referenced it but the tool doc onlydocumented
DRAFT/REVIEW/PUBLIC.#emailtab documented as a load-bearing email-previewcheckpoint before the advisory-send step. Fixes a real footgun:
the JSON view doesn't surface formatting issues (truncation, broken
markdown, missing patch links) that the rendered email does.
gh issue closewith an
archiveProjectV2Itemmutation on every close (terminalor non-terminal), per the new
Archive a board item recipe
in
tools/github/project-board.md. Idempotent on already-archiveditems.
Deliberately unchanged
cve allocated. The hand-off commentdeliberately fires only after the release ships — the user-facing
flow before that is well-served by existing rollup status entries
and would lose context by the time the release manager actually
needs the call-to-action.
1-11). This is purely a downstream-of-release-ship enhancement.
Test plan
prek run --files <touched>passes (doctoc, eof, mixed-line-endings, trailing whitespace).
#257on
airflow-s/airflow-sis at thefix releasedstep right now)via the substituted template, verify rendering on github.com,
verify the
@-mention to@shahar1resolves.#293on
airflow-s/airflow-s(already atannounced, so this is acatch-up post for the RM who advanced the tracker before the
framework feature existed).
12 / 14 with this skill version live, verify both comments fire
at the right moments and that subsequent sync runs respect the
idempotency markers.
🤖 Generated with Claude Code