fix(generate-cve-json): forward-state labels keep CNA_private.state at REVIEW#373
Merged
Merged
Conversation
…t REVIEW When release-vote gating is enabled, the generator computed release_vote_in_progress = (RC_VOTING_LABEL in issue_labels). The sync skill's pr-merged-to-fix-released transition removes the rc-voting label and adds fix-released, so the two events combined made the generator compute release_vote_in_progress=False and walked the embedded CNA_private.state back from REVIEW to DRAFT — the wrong direction for a record about to be published. Add a FORWARD_STATE_LABELS set (configurable via [workflow].forward_state_labels, default fix-released / announced-emails-sent / announced / vendor-advisory-ready) and OR it into the gate check. Any forward-state label on the tracker means the release has shipped — the vote, if there was one, passed — so the rc-voting gate is moot. The bug was caught while syncing airflow-s#259 and airflow-s#377 after Airflow 3.2.2 shipped. The sync skill workaround was to pass --review on every regen, but that loses the auto-gate behaviour the config switch is supposed to provide. Tests: - test_forward_state_labels_keep_state_at_review_when_rc_voting_removed verifies every default forward-state label keeps REVIEW. - test_custom_forward_state_labels_from_config verifies adopters can extend or replace the default set. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When release-vote gating is enabled (
[workflow].release_vote_gating = true), the generator computedrelease_vote_in_progress = (RC_VOTING_LABEL in issue_labels). The sync skill'spr merged → fix releasedtransition removes therc votinglabel and addsfix released; the two events combined made the generator computerelease_vote_in_progress=False, which walks the embeddedCNA_private.stateback fromREVIEWtoDRAFT— the wrong direction for a record that's about to be published.The merge-mode state-downgrade guard only refuses
PUBLIC → non-PUBLIC, so aREVIEW → DRAFTpush lands silently.Real-world impact
Caught while syncing
airflow-s/airflow-s#259andairflow-s/airflow-s#377after Airflow 3.2.2 shipped. The sync skill workaround was to pass--reviewon every regen, but that loses the auto-gate behaviour the config switch is supposed to provide and forces the operator to remember a flag.Engelen's reviewer comment on
CVE-2026-45192("This advisory doesn't seem properly populated at all, did you really intend to move it to 'REVIEW'?") was triggered by the under-populated record that landed before today's pre-push hygiene gates (#372) — but the state regression bug here is separate from the hygiene problem and would have continued biting after #372 merged.Fix
Add a
FORWARD_STATE_LABELSset (configurable via[workflow].forward_state_labels, default["fix released", "announced - emails sent", "announced", "vendor-advisory ready"]) and OR it into the gate check incve_json.py:Any forward-state label on the tracker means the release has shipped — the vote, if there was one, passed — so the rc-voting gate is moot and the state stays at
REVIEW(or advances toPUBLIConvendor-advisory).Test plan
test_forward_state_labels_keep_state_at_review_when_rc_voting_removed— verifies every default forward-state label keeps REVIEW.test_custom_forward_state_labels_from_config— verifies adopters can extend or replace the default set via[workflow].forward_state_labels.pytest -k 'forward_state or rc_voting or gating').ruff formatre-applied + re-staged).Follow-up
The sync skill can drop its
--reviewworkaround for thepr merged → fix releasedtransition once this lands. The five pre-push hygiene gates from #372 remain unchanged — they target body-field quality, not the state gate.Was generative AI tooling used to co-author this PR?