docs(vulnogram): oss-security is sent automatically by the OSS/ASF Emails tab#773
Merged
Merged
Conversation
added 2 commits
July 7, 2026 12:51
…wn PRs The mention guard enforced author-only notification for every guarded comment, which also blocked the legitimate case of the operator nudging their own reviewers on their own PR. Exempt that case: when the target's author is the authenticated `gh` user, allow the mention. Operator resolution failing falls through to the existing author-only rule (fail-safe). The `MAGPIE_ALLOW_MENTIONS=1` override for any other deliberate exception is unchanged. Adds own-PR test coverage (allow, case-insensitive, and others'-PR still denied when the operator resolves), makes the existing fold-edit test hermetic (it previously relied on a real `gh pr view` failing), and updates the agent-guard README table and Golden rule 12. Generated-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ails tab PR apache#749 added a step telling the release manager to "manually send a copy to oss-security@lists.openwall.com" after clicking Send these Emails. That is incorrect: Vulnogram's advisory tab is the "OSS/ASF Emails" tab (named in apache#570), and its Send these Emails button dispatches to oss-security (OSS) and the ASF lists (ASF) in a single action. The manual instruction implied a double-send. Keep oss-security documented as a required recipient (satisfies apache#176) but describe it correctly as part of the automatic OSS/ASF send, with no separate manual step. Updates all three spots: both RM handoff-comment templates and record.md step 5.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up fix to #749. That PR added a step telling the release manager to manually send a copy to
oss-security@lists.openwall.comafter clicking Send these Emails. That is incorrect.Vulnogram's advisory tab is the "OSS/ASF Emails" tab (named as such in #570). Its Send these Emails button dispatches the advisory to oss-security (the "OSS") and the ASF lists (the "ASF") in a single action. So the manual instruction added by #749 implied a double-send and misrepresented the flow.
Reported by the Airflow security team during a CVE sync run.
What changed
Keep
oss-security@lists.openwall.comdocumented as a required recipient (so #176's intent is still satisfied), but describe it correctly as part of the automatic OSS/ASF send — no separate manual step. Three spots updated:tools/cve-tool-vulnogram/release-manager-handoff-comment.mdtools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.mdtools/cve-tool-vulnogram/record.md(step 5)Type of change
tools/<system>/*.md)Test plan
prek run markdownlint typos trailing-whitespacepassesLinked issues
Re #749, #176