Skip to content

refactor(skills): push regenerated CVE JSON on every regen, not only at fix-released#774

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:refactor/push-cve-json-on-every-regen
Jul 7, 2026
Merged

refactor(skills): push regenerated CVE JSON on every regen, not only at fix-released#774
potiuk merged 1 commit into
apache:mainfrom
potiuk:refactor/push-cve-json-on-every-regen

Conversation

@potiuk

@potiuk potiuk commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary

  • Step 5b of security-issue-sync now states explicitly that the CVE-tool
    push fires on every regen of the CVE JSON, not only at the
    pr merged → fix released transition.
  • Enumerates the non-fix-released triggers (advisory-URL/announced
    close-out on PUBLISHED records; reviewer-feedback title/summary edits on
    DRAFT/REVIEW; field corrections).
  • Reframes the fix released paragraph as the one instance of the general
    rule that is also mandatory/non-deferrable.
  • Documents that a generator-driven REVIEW → DRAFT state walk-back on a
    title/summary edit is intended.

Motivation

Step 5b's push mechanics are already trigger-agnostic, but the only
emphatic prose about when the push fires is the fix released
"not deferrable" paragraph. In a real Apache Airflow sync run that
prominence led the operator to hedge and not auto-push six advisory
close-out regens (adding the vendor-advisory reference to already-PUBLISHED
records) plus a reviewer-feedback title/summary edit — the records drifted
from the tracker body until a manual re-push. This removes the ambiguity.

Originated as a local adopter override:
.apache-magpie-overrides/security-issue-sync.md ("Always push the
regenerated CVE JSON on every regen").

Migration path for existing adopters

Documentation-only clarification of existing behaviour — no config knob, no
default flip. Adopters running the authenticated-session push path get the
same mechanics; those without a session still fall through to the
manual-paste hand-off exactly as before. All Step 5b guardrails (pre-push
hygiene gates, session probe, verify-after-push) are unchanged.

Test plan

  • SKIP=lychee prek run --files skills/security-issue-sync/apply-and-push.md
    → all hooks pass (markdownlint, typos, check-placeholders,
    skill-and-tool-validate).
  • Exercised end-to-end in the originating adopter: seven records
    regenerated + pushed (six PUBLISHED gaining the vendor-advisory reference,
    one walked REVIEW→DRAFT on a title/summary edit), states verified via
    vulnogram-api-record-fetch --state-only.

🤖 Generated with Claude Code

…at fix-released

Step 5b's push mechanics are trigger-agnostic, but the only emphatic
statement about *when* the push fires was the `pr merged → fix released`
"not deferrable" paragraph. That prominence led an operator to hedge and
skip the auto-push on advisory close-out regens, leaving live records
drifted from the tracker body until a manual re-push.

Make the general rule explicit: the push fires on *every* regen —
advisory-URL/announced close-outs on PUBLISHED records, reviewer-feedback
title/summary edits, and field corrections — with `fix released` reframed
as the one instance that is also mandatory/non-deferrable. Document that a
REVIEW → DRAFT state walk-back on a title/summary edit is intended.

Originated as a local override in an Apache Airflow adopter
(.apache-magpie-overrides/security-issue-sync.md).

Generated-by: Claude Code (Claude Opus 4.8)
@potiuk potiuk added family:security security-* skills capability:intake Import external signal + sync tracker state labels Jul 7, 2026
@potiuk potiuk merged commit 21dfbcf into apache:main Jul 7, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

capability:intake Import external signal + sync tracker state family:security security-* skills

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant