refactor(skills): push regenerated CVE JSON on every regen, not only at fix-released#774
Merged
Conversation
…at fix-released Step 5b's push mechanics are trigger-agnostic, but the only emphatic statement about *when* the push fires was the `pr merged → fix released` "not deferrable" paragraph. That prominence led an operator to hedge and skip the auto-push on advisory close-out regens, leaving live records drifted from the tracker body until a manual re-push. Make the general rule explicit: the push fires on *every* regen — advisory-URL/announced close-outs on PUBLISHED records, reviewer-feedback title/summary edits, and field corrections — with `fix released` reframed as the one instance that is also mandatory/non-deferrable. Document that a REVIEW → DRAFT state walk-back on a title/summary edit is intended. Originated as a local override in an Apache Airflow adopter (.apache-magpie-overrides/security-issue-sync.md). Generated-by: Claude Code (Claude Opus 4.8)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
security-issue-syncnow states explicitly that the CVE-toolpush fires on every regen of the CVE JSON, not only at the
pr merged → fix releasedtransition.announcedclose-out on PUBLISHED records; reviewer-feedback title/summary edits on
DRAFT/REVIEW; field corrections).
fix releasedparagraph as the one instance of the generalrule that is also mandatory/non-deferrable.
REVIEW → DRAFTstate walk-back on atitle/summary edit is intended.
Motivation
Step 5b's push mechanics are already trigger-agnostic, but the only
emphatic prose about when the push fires is the
fix released"not deferrable" paragraph. In a real Apache Airflow sync run that
prominence led the operator to hedge and not auto-push six advisory
close-out regens (adding the
vendor-advisoryreference to already-PUBLISHEDrecords) plus a reviewer-feedback title/summary edit — the records drifted
from the tracker body until a manual re-push. This removes the ambiguity.
Originated as a local adopter override:
.apache-magpie-overrides/security-issue-sync.md("Always push theregenerated CVE JSON on every regen").
Migration path for existing adopters
Documentation-only clarification of existing behaviour — no config knob, no
default flip. Adopters running the authenticated-session push path get the
same mechanics; those without a session still fall through to the
manual-paste hand-off exactly as before. All Step 5b guardrails (pre-push
hygiene gates, session probe, verify-after-push) are unchanged.
Test plan
SKIP=lychee prek run --files skills/security-issue-sync/apply-and-push.md→ all hooks pass (markdownlint, typos, check-placeholders,
skill-and-tool-validate).
regenerated + pushed (six PUBLISHED gaining the vendor-advisory reference,
one walked REVIEW→DRAFT on a title/summary edit), states verified via
vulnogram-api-record-fetch --state-only.🤖 Generated with Claude Code